One of the more enlightening moments in my information security career was when someone going through a compliance effort told me that it was a “shame they will be spending all this money [on compliance] and not gaining a single business efficiency”.
That statement reflects the challenge for chief information security officers, and the entire information security community. The common perception is that security and compliance activities reduce profit margins, so the associated expenses must be kept to a minimum. We are already hearing this in some of our conversations about GDPR compliance.
The challenge is to turn security and compliance, GDPR or otherwise, into an enabler of business instead of a cost of business. Yes, complying with GDPR will increase costs since businesses will need to hire consultants, educate employees, purchase and deploy technologies and implement additional processes. But what are the advantages or benefits that a business can gain from their GDPR compliance efforts?
Efficiency and innovation
Complying with GDPR will require that businesses understand what data they have, where it exists, why the information is needed, and how it is used. Taking stock of the processes across your organization will allow you to spot and eliminate inefficiencies, and also identify new opportunities by applying processes in a different way or for a different outcome.
Data quality
Every business has multiple copies of the same information when one copy, usually the most recent, is all they need. The GDPR-driven effort to discover personal data and understand it will uncover data quality issues caused by out-of-date or simply inaccurate information. Poor data quality leads to poor data analysis. Poor data analysis, in a healthcare environment for example, can have deadly consequences.
Repeatability
A process under control can produce the reliable results each time. With efficient processes and high quality data sources, businesses can deliver consistent results. Having repeatability also allows businesses to refine processes with each iteration.
Reduced risk
Sound information governance and compliance practices will reduce the risk of non-compliance. These practices also reduce the risks associated with slow time to market (inefficiency), improper decision inputs (poor data quality), rework (no repeatability) and low margins (high expenses).
Decreased expenses
Businesses can reduce infrastructure costs by deleting old, inaccurate and redundant information. Storing less data not only saves money, but it also saves time by reducing the time it takes to backup and restore data. Yes, these savings will be offset by increased expenses associated with compliance but that does not negate the previously mentioned benefits.
Whether GDPR and compliance writ-large is a tax or an incentive could be described as a glass half empty or half full. We believe that compliance programs, such as those required by GDPR, present an opportunity for businesses to improve quality and efficiency while also offsetting the costs of compliance.