How Much does GDPR Compliance Cost?
Ernst & Young, a global professional services firm, reported that the world’s 500 biggest corporations are on track to spend a combined total of $7.8 billion to comply with GDPR. That’s a significant impact on the industry overall, but what about individual businesses? One of the most common question we get is, “How much will GDPR cost me?”
Check out GDPR Defense for small businesses.
The answer is more complicated than a basic dollar amount. There are many factors that will scale the cost of your GDPR implementation–for example, the size of your organization or the types and volume of personal data your organization handles. There are also different steps and phases in the GDPR compliance process and each comes with its own unique costs and time requirements—from the data discovery process, to customer GDPR privacy notifications, to training employees.
SEE ALSO: GDPR 101 Webinar
Factors that will drive compliance costs
The most relevant question you should ask is: Does your organization process personal data of EU persons? If not, then GDPR does not apply to you. If you do, you should read through the following factors to better understand what might be required of you:
Is your organization a data controller or a data processor? While both parties are responsible for protecting personal data, certain requirements apply to controllers or processors only.
What are your risks? If risks related to securing personal data have not been mitigated, additional controls may need to be implemented.
What categories of personal data does your entity handle? How many different teams, lines of business, or processes handle personal data? The greater the number, the higher the costs. A data mapping exercise must be completed to inventory all personal data processed by your organization. We can help with this.
How many distinct repositories are used to store personal data?
How many organizations does your entity share data with? Have you implemented processes to monitor vendor compliance?
Does your organization transfer personal data to organizations in non-EU countries? If so, you will need to verify that contracts with international organizations enforce GDPR requirements for the protection of personal data.
Does your company retain personal data indefinitely? To reduce burden of compliance, data should be retained for the least amount of time needed.
Have processes been implemented to manage the data lifecycle? This includes processes for accessing, correcting, updating, transferring, restricting, removing, and retaining personal data.
Do your contracts with clients and vendors address GDPR requirements? Legal review of contracts will be needed to verify whether a Data Protection Addendum must be drafted and signed by clients and vendors.
Do you process children's personal data? If yes, additional requirements will apply.
Have you tested your security controls implemented to secure personal data? Use trusted penetration testers and vulnerability scan vendors to help with this.
Has your organization assigned someone to oversee privacy? Depending on how your organization processes personal data, a Data Protection Officer (DPO) will need to be appointed.
SEE ALSO: GDPR 101 Part 1
After answering these questions, start a GDPR gap assessment to identify areas for improvement and help your organization develop a roadmap to achieve compliance.
The relative costs of GDPR compliance, step by step
Depending on the factors mentioned above, your roadmap to GDPR compliance will include some or all of the steps below. And, the true cost to comply will depend on how and at what scale each step is completed.
1. Assign a Data Protection Officer
Chances are, you‘re not required by law to formally appoint a DPO to oversee GDPR compliance. However, it’s a good idea to assign an internal employee or team of employees to be in charge of GDPR efforts. If you are required to appoint a DPO, you might assign an individual within your company ($) or hire a third party to fulfill this duty ($$$).
2. Record of Processing Activities (Inventory)
This mandatory step is an important one. You must map the flow of protected data into, out of, and within your organization. As you record the processing activities, you must identify the purposes for processing personal data and any transfers of personal data to countries outside of the EU. The amount and categories of data you handle will affect the cost of this step for you. A low volume of data ($) will obviously take less time and money, while large volumes of data ($$$) will cost more. The number of processes and number of data types will also play a significant role in the final cost.
3. Gap assessment
A gap assessment will include a comparison between current controls, policies and procedures vs GDPR control requirements ($$$). During your gap assessment, you’ll start by asking--Do we have adequate policies and procedures in place to address data subjects’ rights defined in the GDPR? If not, you’ll need to implement or update (step 4).
4. Policies and procedures
This is the step where you’ll implement and update initial and ongoing policies and procedures to address GDPR data protection requirements ($-$$).
5. Modify processes
To verify you are addressing all aspects of the data life cycle and rights of data subjects, you should modify your processes to be GDPR-compliant ($$$).
SEE ALSO: GDPR 101 Part 2, GDPR 101 Part 3
6. Train employees
Employee security training is always important but even more so when implementing new controls related to GDPR compliance. You don’t want your hard work, planning, and investment to go to waste because you skipped training employees ($-$$). You can find ideas to train employees on security here and here.
7. Monitor compliance
Compliance monitoring oversight responsibilities should be assigned internally. Monitoring compliance involves many departments: IT and Operations, Development, Marketing, Sales, etc. It involves training employees, following up on that training, and investing in the security technologies needed to ultimately protect and honor data subjects’ rights. ($$$$)
Note: At any time, you could consult legal counsel to advise and support you in completing these steps. You might seek legal help to draft privacy notices or add data protection requirements to contracts with data processors, who may process personal data on your behalf.
Obviously, legal costs will augment the total costs of GDPR compliance.
SEE ALSO: PCI vs. GDPR Blog and GDPR FAQs
The cost of not complying with GDPR
It’s worth noting that there are possible inherent and external costs for not complying with GDPR. Fines from supervisory authorities in the EU can reach up to 20 Million Euros or 4% of annual global revenues, whichever is greater. Protecting the rights of data subjects is a serious business, and as the value of personal data rises, so could fines.
If you have questions about GDPR, PCI compliance, HIPAA, or general data security, please contact us here.
Jonas De Oliveira is a Security Analyst for SecurityMetrics. He holds CISSP, QSA, CPA and CISA certifications. Jonas has over 12 years’ experience in the data security industry. In addition to assessing companies’ level of PCI compliance, Jonas has been integral in assisting clients prepare to demonstrate GDPR compliance. He graduated with a master’s from University of Utah in accounting with an emphasis in information systems.