There have been several high-profile fines since the GDPR (General Data Protection Regulation) took effect, with a report by our sister company finding that organisations received more than €182 million in 2020 alone.
It’s a reminder that, although discussions of the GDPR are less prominent than when it took effect, you must maintain compliance.
The penalty for not doing so is well documented, but what about the costs of staying on top of your requirements? In this blog, we look at the GDPR compliance price.
The cost of maintaining GDPR compliance
There are many factors that determine what your data protection budget should be. This includes the size of your organisation, the amount of personal data you process and what you do with it.
If you’re transferring data to third parties, for example, you’ll need to monitor and continually improve the ways you secure it while in transit. Likewise, if you store information in the Cloud, you should run regular tests to make sure it’s secure.
The biggest factor is the level of risk your organisation faces. You should have conducted a risk assessment as part of your initial GDPR compliance programme, but this process must be repeated annually to ensure you stay on top of threats.
Risk assessments help identify the likelihood of data sets being breached and the amount of damage incidents would cause. The more substantial the threat, the more organisations must invest in defences.
This is particularly true if your organisation sees an increase in security threats or if you’re unhappy with the way threats are being addressed, as it shows that current measures aren’t adequate.
When you consider each of these issues, it’s clear that there’s no single answer for how much organisations should spend on GDPR compliance. A better question is ‘how do you know you’re spending enough?’
Taking this approach gives you the assurance that you’re not investing money simply for the sake of it – or worse, justifying a wasteful use of resources by quoting the amount of money you spend.
Many organisations calculate how much to spend by allocating a certain percentage of their data protection budget.
This can be tricky for organisations whose cyber security budget is a subset of their IT security budget, because IT is only a small part of GDPR compliance.
Putting the IT department in charge of GDPR compliance might result in technological defences being prioritised over other essential compliance activities, like staff awareness training.
We suggest addressing this risk by dedicating a portion of your overall budget to cyber security.
Still getting to grips with the GDPR?
For many organisations, it’s too early to talk about the cost of maintaining GDPR compliance, as they still need to implement its requirements.
This is likely to cost more than $1 million (about €900,000) on compliance, according to a PwC report. That said, there are cases where that figure could be substantially higher.
For example, 12% of respondents to that report said they would invest more than $10 million.
But when it comes to the cost of maintaining GDPR compliance, it found that 88% spend more than $1 million and 40% spend more than $10 million.
These findings demonstrate how quickly costs can spiral and how often organisations underestimate the cost of GDPR compliance.
- A plan of action
Every organisation will have its own challenges, and you need to identify yours before you get started.
You should begin with a DPIA (data protection impact assessment), a process that helps identify, assess and manage the risks associated with your data processing practices.
Similarly, risk assessments are crucial for helping you identify the personal data you process, locating that information and identifying the associated risks.
This results in a list of measures you can take to mitigate or eradicate threats, helping you identify the most appropriate risk management strategies.
Technological defences are generally the simplest – although not necessarily the most cost-effective – way of tackling threats.
The GDPR doesn’t outline specific technologies you should use, because best practices are bound to change over time. However, encryption tools and malware detection are universal features of modern business and an obvious starting point.
Spam filters, access controls, Cloud storage and multifactor authentication are some of the other technologies you should consider at the outset. From here, you can expand to other tools that address identified threats.
- People and processes
For all the ways that technology can help protect personal data, organisations are still reliant on employees using those tools correctly and keeping physical copies of data safe.
That’s something they’re consistently unable to do, according to a CybSafe study, which found that 90% of data breaches involve human error.
There’s not much technology can do if an employee misconfigures a database or falls for a phishing scam; that’s why organisations must create processes designed to manage those risks.
This involves a lot more legwork than simply purchasing a tool and installing it, as processes must be tailored to the needs of each department.
Implementing appropriate processes requires an organisation-wide commitment, something that takes time – and that’s before you get to staff awareness training and educating employees to follow the new rules.
These aren’t one-off tasks, either. Organisations should monitor the effectiveness of their processes and look for ways to improve them on a regular basis. Likewise, employees should be kept in the loop about any process changes and receive top-up training courses at least annually.
In addition to staff awareness training, you should enrol managers who oversee data processing practices on advanced training courses.
- The DPO role
Organisations are required to appoint a DPO (data protection officer) if they are a public authority, monitor data subjects on a large scale or process special categories of sensitive data.
Whether your organisation meets any of those criteria or not, there’s no doubting the value of bringing in a GDPR expert to oversee your compliance practices.
Some organisations will hire a DPO on a full-time basis, whereas others might decide to hand the responsibilities to an existing employee (as long as there’s no conflict of interest between their roles) or outsource the DPO’s tasks to a third party.
GDPR compliance costs per sector
Another major factor in the cost of GDPR compliance is your industry. A Statista report found that, among FTSE 100 companies, banks spent more than three times as much on GDPR compliance as the next closest sector.
These figures are based on Statista’s report and converted to euros.
Smaller organisations won’t spend as much, but these figures are a good indicator of the relative cost per sector.
It’s no surprise that banks have spent the most on data protection, as breaches of their systems give cyber criminals direct access to financial information, which can be abused in any number of ways.
Technology and telecoms companies spend the next most, which is probably due to the sheer amount of data they collect and the complexity of their data processing activities.
Meanwhile, healthcare organisations have spent comparatively little on GDPR compliance. Budgets are notoriously tight in the industry, with organisations often relying on outdated technology.
Cost of non-compliance
If you’re worried about the costs of implementing and maintaining GDPR compliance, know that it’s a much less expensive option than ignoring your requirements.
The threat of cyber crime is at an all-time high, and with so many organisations shoring up their defences, those that aren’t on top of their data protection practices are at even greater risk.
So, how much will a breach cost you? The GDPR gives supervisory authorities the power to issue fines of up to €20 million or 4% of an organisation’s global annual turnover.
That includes not only fines but also enforcement action, where the penalised organisation will be under strict supervision as it addresses areas of non-compliance.
The problems don’t stop there. Ponemon Institute’s 2020 Cost of a Data Breach Report, which accounts for all data breach-related expenses – including loss of productivity and man-hours for the notification and recovery period – found that organisations spent on average about €3.2 million responding to a data breach.
Things are even worse when you account for the unquantifiable negative effects of security incidents, such as reputational damage.
Organisations that suffer egregious data breaches or that handle the response process poorly will lose customers and face an uphill task attracting new partners, creating long-term problems.
Learn more with our GDPR compliance guide
You can find out more about your data protection and privacy requirements by reading EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide.
This essential guidebook explains in simple terms the steps you must follow to meet the GDPR’s requirements. It covers everything you need to know about compliance, including:
- Data subjects’ rights;
- How to gain lawful consent;
- Managing consent withdrawal;
- Fulfilling DSARs (data subject access requests);
- How to complete DPIAs (data protection impact assessments); and
- Whether you need to appoint a DPO (data protection officer).
A version of this blog was originally published on 25 February 2020.