We're sorry but your browser is not supported by Marsh.com

For the best experience, please upgrade to a supported browser:


Risk in Context

Complying with New EU Data Rules Brings Added Benefits

Posted by Thomas Reagan October 23, 2017

The EU General Data Protection Regulation (GDPR) — which comes into force in May 2018 — will establish global requirements governing how organizations that do business in the EU must manage and protect its citizens’ personal data.


And yet, with only months remaining until GDPR enforcement begins, just 8% of organizations that will be subject to the rule said they are fully compliant, according to a survey from Marsh conducted this summer. Nearly one-third of respondents said their organization had not yet developed a plan, or did not know if it had. What might explain this?

Size: One possible answer is size. Broadly speaking, respondents at larger organizations were more likely to report higher levels of GDRP compliance. It’s likely these organizations have more resources to invest in compliance, along with the management infrastructure to support compliance measures.

Location: Many organizations that are further along in compliance also have significant operations in the US, which has long had aggressively articulated and enforced data protection practices and breach notification policies. They are thus are more likely to have a robust compliance infrastructure already in place — and can more easily adapt to meet GDPR demands.

Investment: Factors beyond size and location also contribute. Some organizations may be overwhelmed by the task at hand. The GDPR requires more than checking the box, but a rethinking of data management practices. The holistic approach requires significant management attention and investment regarding the GDPR’s business implications, activities that may trigger it, and how it interacts with cyber insurance and other areas.


What’s more, many organizations may not fully appreciate that the GDPR applies to them, especially in industries not traditionally seen as data collectors. For example, manufacturing-oriented businesses, such as in the automotive and chemical industries, report being less prepared than organizations in other sectors.

The reality is that almost every business today is data-driven. Even organizations that do not directly collect, hold, or analyze customer data could see their business severely disrupted through a cyber-attack on a key vendor or supplier.

Finally, many specifics of the GDPR need to be sorted out by national regulators. As a result, some respondents who report being far along in GDPR compliance may be reluctant to deem themselves fully compliant. Likewise, organizations that have not started planning may be waiting for additional clarity.


The survey also pointed out an early knock-on benefit to the GDPR: As organizations work to comply, they are exhibiting growth and innovation in cyber risk management. Even before implementation, the GDPR is encouraging organizations to adopt more rigorous data protection protocols and modernize their business practices for a data-driven world.

Related to:  Cyber Risk