CNIL Analysis Shows GDPR’s Economic Impact on Cybersecurity and Identity Theft Prevention
The CNIL – French Data Protection Authority – has analyzed the economic impact of the GDPR on cybersecurity, showing that the regulation has helped prevent cyber damages in the European Union ranging from €585 million to €1.4 billion, particularly in identity theft cases. While economic studies often focus on GDPR’s costs, this analysis highlights its benefits, especially in strengthening cybersecurity obligations under Articles 32, 33, and 34 of the regulation.
Cybersecurity investments by companies are usually based on profitability, weighing costs against the risk of cyberattacks. However, companies often overlook the broader societal benefits of their investments, known as externalities. Without regulation, companies tend to underinvest in cybersecurity, which negatively affects other businesses, customers, and even increases cybercriminals’ profits. GDPR addresses this market failure by mandating security measures that protect not only individuals but also businesses and their partners.
The CNIL identifies three types of externalities: those affecting other companies, cybercriminals, and customers. Cybersecurity investments by one company improve the overall security environment, benefiting subcontractors, partners, and competitors. Insufficient investment increases successful cyberattacks, raising ransom demands and cybercrime profitability. Data breaches harm customers through identity theft and other attacks, and without GDPR’s breach notification requirements, companies might avoid disclosing incidents, reducing accountability and customer protection.
GDPR compliance encourages companies to invest more in cybersecurity by holding them accountable, especially through breach notification obligations. This has led to a 2.5% to 6.1% reduction in identity theft incidents, translating to €90 million to €219 million in avoided losses in France alone and between €585 million and €1.4 billion across the EU. Most of these savings benefit companies, reflecting only a fraction of GDPR’s overall positive impact on reducing cybercrime. Further economic research could provide more insights into GDPR’s broader cybersecurity benefits.
