Study reveals the economic benefits of GDPR on cybersecurity

The French data protection authority, the CNIL, has published a review of the economic impact of the EU General Data Protection Regulation (GDPR) five years after its implementation. The review aims to highlight often-overlooked GDPR benefits, particularly from a cybersecurity perspective.

The CNIL argues that information security investment decisions are only optimal when they take into account the effect of regulation and its external impact on society. The report identifies three notable external factors. First, a company's cybersecurity investment creates a more resilient overall environment, benefiting other companies through a form of "herd immunity." Second, underinvestment in cybersecurity increases the profitability of cybercrime, as successful attacks enable criminals to demand higher ransoms, creating a "vicious cycle" where a lack of security exacerbates the severity and profitability of cybercrime. Finally, personal data breaches often expose customer data, leading to further cyberattacks against individuals and allowing companies to avoid responsibility without disclosure obligations. The GDPR combats all three of these factors by requiring breach notifications, generating societal benefits and strengthening overall security.

The report highlights several economic benefits related to data breach notifications, indicating that they can lead to a reduction in identity theft by 2.5% to 6.1%. When extrapolating data for the entire EU, it is estimated that these notifications have resulted in savings of between €585 million and €1.4 billion since 2018. In addition, when factoring in compensation for these losses and the adverse effect of identity theft on victims' trust in online shopping, it is estimated that 82% of the avoided losses ultimately benefit companies.

(Translate to English: Google Chrome, Mozilla Firefox, Microsoft Edge, or Apple Safari) 

Training Announcement: Freevacy offers a range of independent data protection qualifications from IAPP and BCS. Our certified courses cover multiple legal jurisdictions, data protection operations management, and the implementation of complex privacy solutions in technical environments. Find out more.