For most companies, a sale delayed means money lost, and now data privacy can be added to the list of holdups that hit the bottom line.

According to a recently released study by Cisco Systems Inc., customer concerns over how data is captured, stored and deleted are causing sales delays ranging from two to 16 weeks. In its 2018 Privacy Maturity Benchmark Study, the networking giant surveyed more than 3,000 security professionals in 25 countries and found that 65 percent of the companies involved experienced sales delays averaging eight weeks in the past year.

“That’s a lot of time, and time in business is everything,” said Michelle Dennedy (pictured), Cisco’s vice president and chief privacy officer. “The self-reporting of data maturity is related to closing business more efficiently and faster on the upside and limiting your losses on the downside.”

The study roughly coincides with Data Privacy Day. Celebrated today, it’s a 10-year-old offshoot of Data Protection Day in Europe. That day in turn commemorates the Jan. 28, 1981, signing of Convention 108, the first legally binding international treaty dealing with privacy and data protection.

Dennedy stopped by the set of theCUBE, SiliconANGLE Media’s mobile livestreaming studio, during a Data Privacy Day event Thursday in San Francisco, and spoke with host Jeff Frick (@JeffFrick). Russell Schrader, executive director of the National Cyber Security Alliance, also spoke with Frick in a separate interview (bottom). They discussed the Cisco survey results, the impact of new data regulation in Europe, and the need for continued security awareness and promotion:

Hybrid model reduces data privacy risk

The survey found that companies with a centralized data structure had double the delay of firms with a hybrid model, meaning a mix of centralized and decentralized data privacy systems. The level of privacy maturity also played a key role in the likelihood and cost of data breaches. Companies with fewer ad hoc and more routinized systems, privacy policies that were stated and transparent, and well-defined board-level engagement were less likely (39 percent) to experience a loss of $500,000 or more than those that were privacy-immature (74 percent).

Building a mature data privacy model at Cisco has been a key priority for Dennedy, who has focused on the company’s core engineering organizations where training and education have been essential. “Hitting my company where it lives in engineering was a great place to start to build-in maturity,” Dennedy said. “Make sure training is fun. Be a storyteller; make it personal to your employees and your customers.”

The Cisco study comes less than six months before companies will have to confront an even more significant risk for poor data privacy compliance: the General Data Protection Regulation. These new rules take effect on May 25 for any company with data on any citizen of the European Union.

GDPR has generated intense interest, not only because of the looming deadline, but because of the significant penalties associated with noncompliance. If a company is found to be in violation of the new regulation, it can be fined 4 percent of annual global revenue.

“Now the rest of the world has to wake up and pay attention, because 4 percent of global turnover is not chump change in a multibillion-dollar business,” Dennedy said. “It’s not Y2K [computer code conversion required in 2000], it’s the beginning of a whole new era in data.”

Many companies still in the dark

There may still be some work to do with the “waking up and paying attention” part of the GDPR equation. A survey of businesses in the United Kingdom released earlier in January showed that more than half of small companies and a third of medium-sized enterprises remain unaware of either the new law or the pending deadline.

However, some security and data privacy executives such as Dennedy see the hue and cry surrounding the implementation of GDPR as a glass half full. The publicity that is bound to mount as May approaches, and even more news that could result if firms are fined eye-popping amounts later in 2018, are pushing data privacy to the forefront of the global agenda.

“I am hungry for privacy engineering to become a non-niche topic,” Dennedy explained. “After the first couple days of enforcement of GDPR… it’s really easy to say, ‘Whew, it didn’t hit me. I’ve got no problem now.’ That is not the attitude I want people to take.”

Academic programs address privacy

Although the U.S. has yet to implement regulations that emulate the strict provisions of the European law, there are still signs that data privacy is being taken seriously as demonstrated by the growth of academic programs designed to train the next generation of C-suite executives. A number of universities have opened programs in data privacy, including the University of California Berkeley Center for Law and Technology, George Mason and Cornell.

As a further way to promote awareness around privacy issues, the National Cyber Security Alliance launched a comprehensive U.S.-wide program called “CyberSecure My Business.” The intent is to help a business of any size become more secure in its online dealings and better understand the nuances of consumer data privacy.

The potential for user misunderstanding over how collected data will be used is one of the stickier areas of concern. “That’s tricky because people have to be really vigilant,” said NCSA’s Schrader. “There is this education piece, there is the personal responsibility, and you still have to trust but verify.”

The NCSA joined with a number of tech companies, including Cisco, to promote cyberawareness on Data Privacy Day. It will be interesting to see how many companies are celebrating when Data Privacy Day comes around again a year from now.

There’s more of SiliconANGLE’s and theCUBE’s coverage of Data Privacy Day here.

Photo: SiliconANGLE