Customers recommend, spend more with companies that protect their data – so why are so few businesses GDPR ready?

Increasingly data-hungry businesses risk commercial consequences as sceptical consumers threaten retaliatory action against companies that can’t protect sensitive personally identifiable information (PII), new research has found even as surveys suggest just 29 percent of companies will comply with globally-significant GDPR privacy legislation when it comes into effect next week.

Fully 37 percent of Australian respondents to the 3GEM/Veritas Technologies Global Data Privacy Consumer Study 2018 – released during this week’s global Privacy Awareness Week (PAW) – said they have low confidence that companies are taking the appropriate steps to protect their personal data, and just 22.1 percent said they have high confidence that their data is being protected.

Respondents were most resistant to sharing financial information – cited by 58.2 percent of respondents – with information such as their online habits, where they shop and interact with judged by 41.1 percent to be as sensitive as respondents’ location (40.4 percent) and details about their health (39.9 percent)

“In light of recent events and changes in the law, consumers need much more reassurance when it comes to what personal data companies hold on them, and how it is shared and used,” said Veritas senior director and global privacy lead Tamzin Evershed in a statement.

“This could have significant implications for businesses that rely on collecting consumer data to provide intelligent and targeted services, such as location-based apps. The most successful companies will be those that are able to demonstrate that they are managing and protecting personal data in a compliant way across the board.”

A range of rewards and punishment behaviours were mooted for companies that fail or succeed in guarding sensitive data appropriately.

By far the most likely consequence: 39.2 percent of respondents said they would stop buying goods or services from companies that failed to protect their personal data; an additional 21.8 percent said they would be more likely to consider competitors in such a situation, while an additional 24.0 percent would do both.

Some 82.1 percent of respondents indicated they would discourage their friends from spending money with a company that failed to adequately protect their personal data, while fully 75.8 percent said they would report such a failure to regulators and 63.7 percent would post negative reviews about the company online.

The commercial value of compliance

By contrast, companies that do protect data well can anticipate supportive behaviours from customers – including 29.8 percent that said they would encourage friends to frequent the company, 24.4 percent that said they would favour the company over cheaper competitors, and 12 percent who said they would promote the company on social media.

Privacy protection could even be good for business, with some 22.3 percent of respondents said they would spend up to 25 percent more annually with companies known to be serious about data privacy and protection. Some 14.7 percent said they would spend 25 to 50 percent more with such a company, while 6 percent of customers said they were likely to spend twice as much with a company with effective privacy protections.

Yet 32.7 percent of customers said they would do none of the above, with most agreeing that data protection should be a “mandatory duty for all companies.”

A rising tide of privacy regulations agrees with this last statement, but other new research suggests that most companies will not be compliant with the European Union general data protection regulation (GDPR) – the clearest and strictest code around protection of private data – when it comes into effect next week.

ISACA’s latest GDPR Readiness Survey, conducted in April amongst more than 6000 professionals worldwide, found that just 29 percent of respondents said their organisation would be fully GDPR-compliant by the May 25 deadline.

One in ten respondents still doesn’t know whether their organisation is required to be GDPR-compliant – an issue that is particularly relevant for Australian companies, many of which may not realise they have GDPR obligations – while just 39 percent said their staff had been educated as to what actions they need to take to maintain GDPR compliance.

The biggest challenge for companies continues to be the discovery and mapping of their corporate data holdings – cited by 59 percent – but many (47 percent) had struggled to keep GDPR high on the list of business priorities, or to organise education and change programs (45 percent).

Those figures paint a bleak portrait of real-world privacy protections going forward, with most companies facing potential reputational and commercial damage from disillusioned customers that are becoming increasingly less tolerant to privacy breaches. Yet with Gartner predicting just half of companies will be GDPR compliant by the end of 2018 – and ISACA confirming this, with a figure of 51 percent amongst APAC companies – the coming year or more is likely to see many companies on the back foot as inadequate preparations leads customers towards punitive action due to a continuing onslaught of data breaches.

“One of the most practical and cost-effective ways organisations can support GDPR and other compliance requirements is to help employees understand the business value of the information they deal with on a regular basis,” said Tim Upton, CEO of ISACA report sponsor TITUS in a statement.

“That way, employees become more aware of their responsibilities when it comes to handling and protecting data within the flow of work, providing added value to the ways organisations earn and maintain the trust of customers and employees.”