GDPR has brought significant economic gains
GDPR has brought significant economic tains. That’s the conclusion of a new study by CNIL, the French data protection authority. The rule requiring companies to notify individuals of data breaches alone has generated societal savings of between €585 million and €1.4 billion in relation to identity theft.
.webp)
Jacob Høedt Larsen, PR & PA at Wired Relations, is the host of Sustainable Compliance podcast and an expert on GRC workflows, supported by software, setting up a GRC program, managing a GRC team and securing management buy-in.
Read more from the authorAccording to the Draghi Report – a document on the future of European competitiveness – GDPR reduces the profits of small and medium-sized enterprises (SMEs) by 12% annually. The legislation is said to be overly complex and a hindrance to innovation and development.
These are the typical arguments made against GDPR and similar digital regulations.
However, the new CNIL study paints a more nuanced picture. Digital regulation forces companies to invest more in cybersecurity – and that has a positive economic impact.
To understand why, we need to talk about concepts such as externalities and public goods. That may sound complicated – but it really isn’t.
So, stay with me.
Companies in the EU underinvest in cybersecurity
One reason for this is that the costs of hacking and data breaches are often borne by others – not the company itself.
Let’s take an example.
A company is hacked and loses a great deal of customer data. The information is used for identity theft: loans are taken out in the names of affected individuals, and their credit cards are misused. These incidents have severe consequences for the victims – and for society at large – but the company may not necessarily have to foot the bill.
Economists call this an externality.
If companies in the EU raise their cybersecurity standards, people like you and me – and society as a whole – become better off. Cybersecurity benefits everyone, just like roads, basic research and national defence.
But here’s the problem
When a company’s board considers where to invest its money, it can’t see the full benefits of investing in cybersecurity.
That’s why companies don’t invest enough.
However, we can give them a nudge through regulation.
Take the example of stolen personal data used for identity theft. We could require companies to inform customers when such a breach occurs (which is exactly what GDPR does).
This kind of rule enables me, as a customer, to seek compensation, choose another provider, and warn my friends to do the same.
In other words: more of the costs are now borne by the company – the same company that profits from running its business in the first place.
And suddenly, it makes financial sense for the company to invest in cybersecurity.
That’s what CNIL has analysed – and their findings show that digital regulation results in major societal benefits.
📰 Stay ahead with smarter GRC insights
Get fresh stories like this one delivered straight to your inbox. From GDPR to cybersecurity trends – be the first to know what’s shaping the digital world.
