We are sorry but your browser is not supported by Marsh.com.

For the best experience, please upgrade to a supported browser:


Risk in Context

Complying with New EU Data Rules Brings Added Benefits

Posted by Thomas Reagan Wednesday, 25 October 2017

The EU General Data Protection Regulation (GDPR) — which comes into force in May 2018 — will establish global requirements governing how organisations that do business in the EU must manage and protect its citizens’ personal data.


And yet, with only months remaining until GDPR enforcement begins, just 8% of organisations that will be subject to the rule said they are fully compliant, according to a survey from Marsh conducted this summer. Nearly one-third of respondents said their organisation had not yet developed a plan, or did not know if it had. What might explain this?

Size: One possible answer is size. Broadly speaking, respondents at larger organisations were more likely to report higher levels of GDRP compliance. It’s likely these organisations have more resources to invest in compliance, along with the management infrastructure to support compliance measures.

Location: Many organisations that are further along in compliance also have significant operations in the US, which has long had aggressively articulated and enforced data protection practices and breach notification policies. They are thus are more likely to have a robust compliance infrastructure already in place — and can more easily adapt to meet GDPR demands.

Investment: Factors beyond size and location also contribute. Some organisations may be overwhelmed by the task at hand. The GDPR requires more than checking the box, but a rethinking of data management practices. The holistic approach requires significant management attention and investment regarding the GDPR’s business implications, activities that may trigger it, and how it interacts with cyber insurance and other areas.


What’s more, many organisations may not fully appreciate that the GDPR applies to them, especially in industries not traditionally seen as data collectors. For example, manufacturing-oriented businesses, such as in the automotive and chemical industries, report being less prepared than organisations in other sectors.

The reality is that almost every business today is data-driven. Even organisations that do not directly collect, hold, or analyze customer data could see their business severely disrupted through a cyber-attack on a key vendor or supplier.

Finally, many specifics of the GDPR need to be sorted out by national regulators. As a result, some respondents who report being far along in GDPR compliance may be reluctant to deem themselves fully compliant. Likewise, organisations that have not started planning may be waiting for additional clarity.


The survey also pointed out an early knock-on benefit to the GDPR: As organisations work to comply, they are exhibiting growth and innovation in cyber risk management. Even before implementation, the GDPR is encouraging organizations to adopt more rigorous data protection protocols and modernise their business practices for a data-driven world.