The Cost of Privacy: How to build an ROI for the GDPR

Last month, the Financial Times held a debate on the GDPR at their Cyber Security Summit in London. The proposition: "The EU's new data protection rules will impose an unnecessary burden on business". I've listened to it online a few times. If you care about data governance, you'll want to listen to it for yourself.  It's quite thought provoking, but I think the panelists missed an important point.

( NOTE: If you don't know what the GDPR is,  I've summarized it in my previous post "The Difference Between Privacy And Security: How To Comply With The GDPR". While this is a European regulation, it's viral, and is destined to infect your business sooner or later, like it or not. )

As one speaker noted, all regulations by definition impose burdens. The key is whether the burden is necessary, and to determine that you need to weigh the burden against the value of the regulation. The problem with the debate was the panelists lacked a shared understanding of the intended goal of the regulation, so the each weighed  the burden against different a value.

Those speaking in favor of the proposition (and therefore against the GDPR), argued that the goals of any European Commission regulation should be to improve the competitive landscape for European business, that this regulation is anti-competitive, and that while customers want their data protected, the natural forces of the market will favor those companies that give customers what they want, so in the end, no regulation is needed. Those speaking against the proposition (and therefore in favor of the GDPR) argued that the value of the regulation was primarily in harmonizing the 28 separate sets of data protection regulations into one unified set of regulations, thereby lowering the costs of competition.

For the record, as a business owner, I'm usually against regulation. I don't believe government is good at creating laws that set the rules of competition. When they do, the rules they set usually do more harm than good. But that argument only applies to the GDPR if you buy the premise that its goal has anything to do with competition. I don't believe that's its purpose.

I believe the goal of the GDPR is to clarify European citizens rights to privacy in the digital world, or as one of the panel members more elegantly put it, "to protect our digital existence". You can't make an economic argument about a right. You either accept its value or you don't. And if you do, when it comes to protecting that right, like it or not, the law is all we have. You can't expect an economic entity that is optimized for profit, to disregard profit in favor of a right unless they are compelled to do so - and an efficient way to compel them is to impact their profits.

But at what cost?

In the post I referenced above, I argued that compliance to the GDPR was simply a matter of becoming governance-ready. In an earlier post, "Are We Overthinking Data Governance?", I argued that the cost of becoming governance-ready is equal to the cost of proactively managing your data, of knowing what you have and where it is, and of putting it where it belongs so it can be easily accessed, and deleting it, defensively of course, when it's life cycle has ended and it no longer holds value to your company. In other words, it's the cost of indexing all your data.

Is the cost worth it?

Well, if you are subject to the GDPR, and every global company will be, the answer is a simple yes. The fines for non-compliance is 4% of last years world wide revenue or 20 Million Euros, whichever is greater. Some of the panelists argued that this is too high. Clearly it's been set at a level to get your attention. It is sending the signal that compliance is demanded, that protecting privacy is non-negotiable, and that the behavior companies have adopted in the eDiscovery world, to argue burden or to settle rather than to comply with comprehensive data collection, will not be tolerated in this realm.

But that's not the right way to think about it. There is a positive economic argument that can be made in favor of the GDPR. If you look at the big picture, it's an investment with a real and substantial return. I can't give you a simple universal ROI formula, but I can help you imagine what your organization will look like once it is governance-ready. So humor me. Sit back in your chair, and imagine a data center where:

• all corporate data is classified, and stored appropriately
• the identification, collection and preservation phases of eDiscovery are obsolete. You can find responsive data to any legal or regulatory request just about as simply as you can search the Internet. Key data is preserved as a matter of automated policy.
• dark data is obsolete. You know where everything is all the time, and can access it subject to your standard corporate security controls.
• personal data, sensitive data, and corporate intellectual property is secured, compliant and under control.
• security attributes for all data at rest is proactively managed.
• copy data is minimized, and storage for data ROT (redundant, outdated and trivial) is eliminated.
• archival data is accessible, organized, searchable and stored on the cheapest class of storage appropriate for your needs.
• backup data is held on disk for around 30 days ( for as long as it useful for disaster recovery ). Whatever has corporate or regulatory retention value is culled out and archived on cheap,  archival class storage. The rest, typically 95-98% of the total, is deleted. No more backup tapes. No more long term backup storage headaches.
• a similar process is used for legacy data acquired from mergers or reorganizations.  Legacy applications can then be retired.
• logs automatically maintain defensibility of all data management decisions

That's what a governance-ready data center looks like. That's the benefit that comes with the cost. It sounds more like the elimination of existing burdens then the creation of new ones. And if you manage corporate data, that's something that will help you to sleep more soundly at night.

The burden imposed by the GDPR is a necessary consequence of your responsibility to protect the digital privacy rights of your customers.  But by fully embracing the change that GDPR compliance requires, you will dramatically transform your data center, and the costs associated with that transformation will have a substantial ROI.