There have been several high-profile fines since the GDPR (General Data Protection Regulation) took effect five years ago this May.
That includes mammoth fines given to Amazon (€746 million), Facebook (€265 million) and its subsidiary WhatsApp (€225 million), and Google (€90 million).
These penalties have demonstrated the weight that the GDPR carries against some of the world’s biggest firms, but it’s not just tech giants that have come under scrutiny. There have been more than 1,000 penalties issued since the Regulation took effect, with the majority of cases occurring at small or medium-sized companies.
It’s a reminder that, although discussions of the GDPR are less prominent than they were five years ago, enforcement actions are still in place and you must remain compliant.
Organisations have half a decade of experience implementing and maintaining GDPR compliance, but in this blog, we look at the costs involved to achieve and maintain regulatory compliance.
The cost of maintaining GDPR compliance
There are many factors that determine what your data protection budget should be. This includes the size of your organisation, the amount of personal data you process and what you do with it.
If you’re transferring data to third parties, for example, you’ll need to monitor and continually improve the ways you secure it while in transit. Likewise, if you store information in the Cloud, you should run regular tests to make sure it’s secure.
The biggest factor is the level of risk your organisation faces. You should have conducted a risk assessment as part of your initial GDPR compliance programme, but this process must be repeated annually to ensure you stay on top of threats.
Risk assessments help identify the likelihood of data sets being breached and the amount of damage incidents would cause. The more substantial the threat, the more organisations must invest in defences.
This is particularly true if your organisation sees an increase in security threats or if you’re unhappy with the way threats are being addressed, as it shows that current measures aren’t adequate.
When you consider each of these issues, it’s clear that there’s no single answer for how much organisations should spend on GDPR compliance. A better question is ‘how do you know you’re spending enough?’
Taking this approach gives you the assurance that you’re not investing money simply for the sake of it – or worse, justifying a wasteful use of resources by quoting the amount of money you spend.
Many organisations calculate how much to spend by allocating a certain percentage of their cyber security budget.
According to one report, organisations typically spend 9.9% of their IT budgets on cyber security, with the tech, healthcare and business services industries being most likely to invest.
Meanwhile, Gartner predicts that global spending on cyber security and risk management will increase by more than 11% in 2023. It estimates that organisations will spend $188 billion (€170 billion) in total on security, as threats increase and inflation drives up costs.
However, organisations need to be careful when considering GDPR compliance as part of their overall cyber security practices. Although they are closely related – with many data protection requirements being addressed through technical means – others can only be addressed through processes and policies.
Putting the IT department in charge of GDPR compliance might result in technological defences being prioritised over other essential compliance activities, like staff awareness training.
Still getting to grips with the GDPR?
For many organisations, it’s too early to talk about the cost of maintaining GDPR compliance, as they still need to implement its requirements.
This is likely to cost more than $1 million (about €900,000) on compliance, according to a PwC report. That said, there are cases where that figure could be substantially higher.
For example, 12% of respondents to that report said they would invest more than $10 million.
But when it comes to the cost of maintaining GDPR compliance, it found that 88% spend more than $1 million and 40% spend more than $10 million.
These findings demonstrate how quickly costs can spiral and how often organisations underestimate the cost of GDPR compliance.
1. A strong plan of action
Every organisation will have its own challenges, and you need to identify yours before you get started.
You should begin with a DPIA (data protection impact assessment), a process that helps identify, assess and manage the risks associated with your data processing practices.
Similarly, risk assessments are crucial for helping you identify the personal data you process, locating that information and identifying the associated risks.
This results in a list of measures you can take to mitigate or eradicate threats, helping you identify the most appropriate risk management strategies.
Technological defences are generally the simplest – although not necessarily the most cost-effective – way of tackling threats.
The GDPR doesn’t outline specific technologies you should use, because best practices are bound to change over time. However, encryption tools and malware detection are universal features of modern business and an obvious starting point.
Spam filters, access controls, Cloud storage and multifactor authentication are some of the other technologies you should consider at the outset. From here, you can expand to other tools that address identified threats.
3. People and processes
For all the ways that technology can help protect personal data, organisations are still reliant on employees using those tools correctly and keeping physical copies of data safe.
That’s something they’re consistently unable to do, according to a CybSafe study, which found that 90% of data breaches involve human error.
There’s not much technology can do if an employee misconfigures a database or falls for a phishing scam; that’s why organisations must create processes designed to manage those risks.
This involves a lot more legwork than simply purchasing a tool and installing it, as processes must be tailored to the needs of each department.
Implementing appropriate processes requires an organisation-wide commitment, something that takes time – and that’s before you get to staff awareness training and educating employees to follow the new rules.
These aren’t one-off tasks, either. Organisations should monitor the effectiveness of their processes and look for ways to improve them on a regular basis. Likewise, employees should be kept in the loop about any process changes and receive top-up training courses at least annually.
In addition to staff awareness training, you should enrol managers who oversee data processing practices on advanced training courses.
4. The DPO role
Organisations are required to appoint a DPO (data protection officer) if they are a public authority, monitor data subjects on a large scale or process special categories of sensitive data.
Whether your organisation meets any of those criteria or not, there’s no doubting the value of bringing in a GDPR expert to oversee your compliance practices.
Some organisations will hire a DPO on a full-time basis, whereas others might decide to hand the responsibilities to an existing employee (as long as there’s no conflict of interest between their roles) or outsource the DPO’s tasks to a third party.
GDPR compliance costs per sector
Another major factor in the cost of GDPR compliance is your industry. A Statista report found that, among FTSE 100 companies, banks spent more than three times as much on GDPR compliance as the next closest sector.
These figures are based on Statista’s report and converted to euros.
Smaller organisations won’t spend as much, but these figures are a good indicator of the relative cost per sector.
It’s no surprise that banks have spent the most on data protection, as breaches of their systems give cyber criminals direct access to financial information, which can be abused in any number of ways.
Technology and telecoms companies spend the next most, which is probably due to the sheer amount of data they collect and the complexity of their data processing activities.
Meanwhile, healthcare organisations have spent comparatively little on GDPR compliance. Budgets are notoriously tight in the industry, with organisations often relying on outdated technology.
Cost of non-compliance
If you’re worried about the costs of implementing and maintaining GDPR compliance, know that it’s a much less expensive option than ignoring your requirements.
The threat of cyber crime is at an all-time high, and with so many organisations shoring up their defences, those that aren’t on top of their data protection practices are at even greater risk.
So, how much will a breach cost you? The GDPR gives supervisory authorities the power to issue fines of up to €20 million or 4% of an organisation’s global annual turnover.
Although blockbuster fines such as those given to British Airways and Marriott are the exception rather than the rule, organisations should still expect to receive prohibitive penalties for violations.
That includes not only fines but also enforcement action, where the penalised organisation will be under strict supervision as it addresses areas of non-compliance.
The problems don’t stop there. Ponemon Institute’s 2020 Cost of a Data Breach Report, which accounts for all data breach-related expenses – including loss of productivity and man-hours for the notification and recovery period – found that organisations spent on average about €3.94 million responding to a data breach.
Things are even worse when you account for the unquantifiable negative effects of security incidents, such as reputational damage.
Organisations that suffer egregious data breaches or that handle the response process poorly will lose customers and face an uphill task attracting new partners, creating long-term problems.
Learn more with our free guide
You can learn more about your GDPR compliance requirements by downloading General Data Protection Regulation – A compliance guide.
This free guide contains a comprehensive overview of the steps you must take to protect your stakeholders’ personal data and meet your data protection obligations.
The download also provides details on the scope of the Regulation and further information on its key compliance requirements. Plus you’ll receive our expert tips on how to bolster your security practices.
A version of this blog was originally published on 25 February 2020.