Netsparker GDPR Survey: 10 Percent of C-Level Security Execs Say GDPR Will Cost Them $1M+

Data also reveals healthcare and finance industries most resistant to GDPR


London—April 12, 2018—Netsparker Ltd., a leading player in the web applications security industry, has today released the results of its GDPR Survey. The survey of more than 300 C-level security executives, conducted online by Propeller Insights on behalf of Netsparker in March 2018, found that companies are taking the new General Data Protection Regulation (GDPR) much more seriously than HIPAA and PCI: 99 percent are actively involved in the process to become GDPR-compliant, despite the cost and internal reorganization involved.


GDPR is a new set of regulations the European Union (EU) has put in place to protect their citizens’ sensitive data from cybersecurity breaches. Under the terms of GDPR, strict conditions govern how organizations gather data and how it is managed. Organizations that fail to comply will face penalties. GDPR will go into effect May 25, 2018.


Companies Are Serious About GDPR Compliance


Companies seem to be taking GDPR very seriously. While many still aren’t PCI and HIPAA compliant, almost all (99 percent) of the security executives surveyed said their organizations are actively involved in the process to become GDPR-compliant.

  • About half (49 percent) are 75 percent of the way through the process
  • Another 37 percent are halfway there
  • More than two-thirds (71 percent) are confident that they’ll be fully compliant by the May 25 deadline
  • Only 2 percent say it’s unlikely that they’ll be ready


In preparation for GDPR, 57 percent of companies are re-engineering internal systems and procedures, 55 percent are recruiting new people specifically to tackle GDPR compliance, and 48 percent are re-engineering internal security teams.


“People are taking GDPR seriously because of how many high-profile data breaches we have all witnessed in the last few years,” said Ferruh Mavituna, CEO of Netsparker. “In the past, blame for data breaches was shifted around from party to party. Was it the business? The individual? The government? GDPR removes the ambiguity. As of May 25, businesses are responsible for data breaches. As a result, companies will have to restructure how they handle data, and, if they don’t have a sound IT infrastructure, they will have to rebuild from the ground up. It’s heartening to see that so many companies are taking themselves to task.”


GDPR Costs


The cost of GDPR is steep: while 80 percent of those in a micro company (1-9 employees) expect GDPR compliance to cost their business under $50,000, most (92 percent) of those working at an enterprise (more than 1,000 employees) expect GDPR compliance to cost their business over $50,000. Additionally:

  • 1 in 10 say GDPR compliance will cost their business less than $10,000
  • About two-thirds (36 percent) will spend $50-100,000
  • About a quarter (24 percent) will spend between $100,000 and $1 million
  • 1 in 10 say GDPR compliance will cost their business more than $1 million

Although 82 percent of companies currently have a data privacy officer (DPO) on staff, 77 percent plan to hire a new, replacement DPO prior to GDPR going into effect. More than two-thirds (37 percent) of businesses have had to hire at least six new employees to achieve GDPR compliance, and almost 1 in 5 (19 percent) have had to hire at least 10.

Healthcare and Finance Industries Slowest to Change

Meanwhile, security executives working in healthcare and finance report the most resistance to GDPR:

  • 14 percent of healthcare companies have only completed 25 percent of the GDPR compliance process, and 7 percent are unlikely to be GDPR-compliant by May 25
  • 21 percent of finance companies have only completed 25 percent of the GDPR compliance process, and 3 percent haven’t even begun the process

Security executives expect the technology industry will be most affected by GDPR (53 percent), followed by:

  • Online retailers — 45 percent
  • Software companies — 44 percent
  • Financial services — 37 percent
  • Online services/SaaS — 34 percent
  • Retail/CPG — 33 percent

The vast majority (82 percent) say GDPR will be a positive thing for third-party companies in e-commerce, because it will cause them to take security and privacy more seriously, including: better evaluating third-party contractors (36 percent), making sure business partners are GDPR- compliant (28 percent), and checking the location of all business partners with whom data is shared (22 percent).

For more information, see the survey results here.

About Netsparker Ltd.

Netsparker was founded in 2009 and develops a web application security scanner. The scanner’s accurate scanning technology led to early success, and Netsparker is now a recognized leader in the web application security industry.


Netsparker can identify vulnerabilities in any type of modern and custom web applications, regardless of the architecture or platform they are built with. Upon identifying a vulnerability, the Netsparker scanner uniquely generates a proof of exploit to identify a false positive.


Netsparker is available as desktop software and as a cloud service. It is trusted and used by world-renowned organizations from all industry verticals, including Samsung, NASA, Microsoft, ING Bank, and Ernst & Young.