How much does EU GDPR compliance cost?
The question of the costs of the EU GDPR implementation is one of the most frequent queries that clients make to their consultants in order to make a budget for the GDPR compliance project.
It is also one of the most difficult questions to answer because the only answer is: “It depends.” So, let’s see on what factors it actually depends.
Data, risks, procedures…
It depends on many factors: how much data is processed, how many risks to the security and freedom of natural persons are posed by the activity, whether the company has some procedures or policies for data processing or not… so the answer varies from industry to industry and from company to company.
Article 24 of the GDPR, in fact, states:
“Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
The GDPR does not give exact measures to adopt, because this Regulation aims to be technologically neutral. It is the data controller who will need to know exactly:
- What kinds of data are processed?
- How is data processed?
- What risks to the freedom and security of natural persons are there?
- How is data protected?
- Has the data subject been informed about it?
These questions need to be revised and re-answered as business and technology evolve.
So, in order to help you figure out what the final cost of EU GDPR implementation will be, you will need to consider specific costs described in the following sections.
1) The cost of preliminary activities
Article 5 requires the data controller to demonstrate its own compliance with GDPR requirements. This means that the data controller needs to know and keep track of its own compliance.
Therefore, one of the first steps to start with is the so-called DPIA (Data Protection Impact Assessment) to better know where the implementation of GDPR compliance should start. Through this activity, the data controller will verify what kinds of data are processed, which business processes and business units involve data processing, where data is stored, and how data is protected. Once those activities have been carried out, it will be clear what steps should be taken in order to minimise the risks to the freedom and security of natural persons and, of course, the risks of a data breach.
At this point, you might consider hiring a GDPR consultant to guide you through this process, or investing in education and DIY solutions. Learn more about accountability in the article Implementing 3 main accountability principles under the EU GDPR.
2) The cost of training, education, and literature
In order to implement the EU GDPR, the data controller will need to train all the persons involved in data processing. This is a key element of EU GDPR implementation because it is the only way to truly follow the principles of privacy by design and privacy by default, as set by article 25, which refers to organisational measures to be taken. So, the staff and the management involved in data processing need to be trained.
Do not forget that this is one of the most important security measures. In fact, data breaches often happen because of untrained staff opening unsafe emails and accidentally downloading threatening spyware, which causes the data breach with all its resulting costs.
3) The cost of technology
The cost of technology will vary depending on the industry, the dimensions of business, and the specific organisation. As EU GDPR implementation relies on many different elements, both technical and organisational, there is no software that makes a business GDPR-compliant at the click of a button.
Therefore, you will need to consider whether purchasing software or upgrading your hardware will allow you to increase the level of security of your organisation, and then estimate the cost of that new software or hardware upgrade.
During this process, you will need to check for compliance of your providers because if an accident happens, the data controller will always be responsible for making the wrong choice.
4) The cost (or loss) of employees’ time
Of course, among the costs of EU GDPR implementation, you will need to consider the employees’ time that will be required for training, learning new technology, and beginning to work differently (i.e., if you adopted a clean desk policy as an organisational measure that requires employees to keep any documents with personal data off their desks). It will take time to make employees aware of risks and develop new policies and procedures for data processing.
5) The cost of remaining compliant
The EU GDPR is an evolving system, so you will need to periodically check the compliance of your company with legal requirements in a technologically evolving system.
You may have an internal audit, or you may need to adopt procedures to ask for guarantees of GDPR compliance from your suppliers (as long as they are your data processors), in order to be able to demonstrate that the data controller and its data processors are GDPR-compliant.
In this case, you need to consider the costs of audits (if any) or the procedures to check and verify the GDPR compliance of your data processors, their impact on your work, and the review of policies to meet the legal requirements.
The final cost
In order to figure out what the final cost will be, you will need to consider carefully the above-mentioned elements of cost. As seen, dimensions, industry, and kinds of data being processed may have different impacts on the costs, as well as your current starting point.
You will need to balance the cost of implementation with the benefits of becoming compliant, which include not only avoiding fines, but also increasing the trust of your customers, who are becoming more aware of the importance of data protection. You will also end up protecting your trade secrets and using your resources in a more efficient way.
Learn how to become compliant with lower costs in this free white paper: Implementing EU GDPR with a consultant vs. DIY approach.
About the author:
Alessandra Nisticò is a lawyer focused on the GDPR, Internet law, European law, and innovation themes that help companies and persons to orient and defend themselves in the digital world, developing its potential.