Author Details

Matt Moscardi

Matt Moscardi
Executive Director, ESG Research

Social Sharing

Extended Viewer

Canaries in the data mine: GDPR and privacy regulation


On Tuesday May 22, Facebook CEO Mark Zuckerberg apologized to EU-based Facebook users for the firm’s failure to sufficiently combat “fake news.”1 As the EU’s data protection regulation, known as the General Data Protection Regulation (GDPR), kicks in on May 25,2 Facebook isn’t alone in facing compliance challenges. A broad range of companies are expected to face the new regulation and its costs, with potential impacts to shareholders of those companies. Of the companies with revenues in the EU that MSCI ESG Research identifies as particularly at risk of privacy and data security issues, 40% were in the financial sector. But what is the real risk GDPR poses to companies?

The reality is the costs of compliance may be the least of companies’ problems. Instead, non-compliance may become the bigger headache for those companies who are caught out by regulators. The bottom line: The “average” MSCI ACWI Index constituent not in compliance with GDPR risks fines in excess of 15% of earnings before interest, taxes, depreciation and amortization (EBITDA), in contrast to breaches which could cost well over 5% of EBITDA and the cost of coming into compliance at less than 1% of EBITDA.3

MSCI has evaluated data privacy and security issues as a core component of MSCI ESG Ratings since 2010. While MSCI ESG Research doesn’t gauge compliance to any specific regulation, such as GDPR,4 we can and do review the implications of new regulations against our existing data. In this case, the legislation builds in a fining mechanism for companies deemed to be in non-compliance (e.g., where companies infringe on the principle of consent by unlawfully processing or transferring data to third parties).5 In such a case, the regulator may levy a fine of EUR 20 million or up to 4% of annual revenue, whichever is greater.6 If data breaches are deemed the result of a process that is out of compliance, the fines could be coupled with redress costs, as well.

Compliance costs are small in comparison to the potential fines. Combining a number of external analyses,7 we were able to develop an estimate for the cost of complying with GDPR across industries. The highest costs were likely to be borne by banks, but, even then, our estimate was a relatively insignificant 0.34% of net margins (as of April 11, 2018).8 On the low end, we estimated 0.03% for the hotels, restaurants, leisure industry and 0.08% for software companies.

The upshot here is there may be a way investors can understand which companies may be better positioned to contain these costs and which appear less prepared. MSCI ESG Research’s data set includes a range of indicators that have shown some historical correlation with lower instances of either the likelihood of an incident (such as a data breach) or impact after the fact (such as remediation costs). Cross referencing our company indicators with data from the Ponemon Institute, which estimates costs for particular control lapses that result in a breach, we found a significant number of companies do not disclose precautionary initiatives and safeguards correlated with incident cost containment (see the exhibit below).

Differentiating which company is in compliance with a specific regulation such as GDPR may be difficult based on public disclosure, but we do know investors could be caught off guard by not knowing how companies in their portfolio manage privacy and data security. The onset of the GDPR may be a wake-up call for investors to understand, beyond Facebook, which companies are preparing for new regulations or wonder whether they may be on the wrong end of enforcement later.



Sources: Cost analysis is from Ponemon Institute’s 2017 cost of data breach study. Company data from MSCI ESG Research. Companies performance on mitigation practices is based on MSCI ACWI Index constituents assessed on these indicators within MSCI ESG Ratings, April 30, 2018. N=738 except where noted due to data limitations.


1 Wall Street Journal: Facebook CEO Dodges Tough Questions by EU Lawmakers

2 GDPR Reference Article 99

3 Based on the present value of the five-year cost using the estimated costs of fines, data breaches and compliance for MSCI ACWI constituents most exposed to privacy and data security-related risks as of April 11, 2018.

4 European Convention on Human Rights: Article 8

5 GDPR Reference Article 83(5)

6 GDPR Reference Article 83(6)

7 Including: The International association of Privacy Professionals IAPP) & EY, Globalscape, Ponemon InstituteSia Partners 

8 Net Margin for each industry is calculated as Weighted average net income / Weighted average total revenues


Further reading:

ESG 101: What is ESG investing?

Equifax case study

Volkswagen case study

MSCI ESG Ratings