We’ve come a long way since the panic and scepticism that accompanied the introduction of the GDPR (General Data Protection Regulation).
Several high-profile fines and the continued warnings from regulators have led to a sharp uptick in the number of organisations addressing their compliance requirements.
But that doesn’t mean their job is done as far as the GDPR goes; organisations must continue to invest in data protection to ensure they remain compliant. So, what’s the true GDPR compliance price?
The cost of maintaining GDPR compliance
There are many factors that determine your data protection budget, including the size of your organisation, the amount of personal data you process and what you do with it.
If you’re transferring data to third parties, for example, you’ll need to monitor and continually improve the ways you secure it while in transit. Likewise, if you store information in the Cloud, you should run regular tests to make sure it’s secure.
The biggest factor is the level of risk your organisation faces. You should have conducted a risk assessment as part of your initial GDPR compliance programme, but this process must be repeated annually to ensure you stay on top of threats.
Risk assessments help identify the likelihood of data sets being breached and the amount of damage incidents would cause. The more substantial the threat, the more organisations must invest in defences.
This is particularly true if your organisation sees an increase in security threats or if you’re unhappy with the way threats are being addressed, as it shows that current measures aren’t adequate.
When you consider each of these issues, it’s clear that there’s no single answer for how much organisations should spend on GDPR compliance. A better question is ‘how do you know you’re spending enough?’
Taking this approach gives you the assurance that you’re not investing money simply for the sake of it – or worse, justifying wasteful use of resources by quoting the amount of money you spend.
Many organisations calculate how much to spend by allocating a certain percentage of their data protection budget.
This can be tricky for organisations whose cyber security budget is a subset of their IT security budget, because IT is only a small part of GDPR compliance.
Putting the IT department in charge of GDPR compliance spending might result in technological defences being prioritised over other essential compliance activities, like staff awareness training.
We suggest addressing this risk by dedicating a portion of your overall budget to cyber security.
Still getting to grips with the GDPR?
More than a year after the Regulation took effect, an Egress report found that 52% of organisations weren’t fully complying with the GDPR.
For these organisations, it’s clearly jumping the gun to talk about the cost of maintaining compliance, as they still need to implement the GDPR’s requirements.
This is likely to cost about €1.3 million, according to a 2018 Veritas report, although other studies have shown that this figure could be substantially higher.
A PwC report, for example, found that 60% of organisations intended to spend more than $1 million (about €900,000) on compliance, with 12% saying they would invest ten times that.
But when it looked at organisations that had already completed their compliance preparations, it found that 88% spent more than $1 million and 40% spent more than $10 million.
These findings demonstrate how quickly costs can spiral and how often organisations underestimate the cost of GDPR compliance.
- A plan of action
Every organisation will have its own challenges, and you need to identify yours before you get started.
You should begin with a DPIA (data protection impact assessment), a process that helps identify, assess and manage the risks associated with your data processing practices.
Similarly, risk assessments are crucial for helping you identify the personal data you process, locating that information and identifying the associated risks.
This results in a list of measures you can take to mitigate or eradicate threats, helping you identify the most appropriate risk management strategies.
Technological defences are generally the simplest – although not necessarily the most cost-effective – way of tackling threats.
The GDPR doesn’t outline specific technologies you should use, because best practices are bound to change over time. However, encryption tools and malware detection are more or less universal features of modern business, and an obvious starting point.
Spam filters, access controls, Cloud storage and multifactor authentication are some of the other technologies you should consider at the outset. From here, you can expand to countless other tools that address identified threats.
- People and processes
For all the ways that technology can help protect personal data, organisations are still reliant on employees using those tools correctly and keeping physical copies of data safe.
That’s something they’re consistently unable to do, according to a CybSafe study, which found that 90% of data breaches involve human error.
There’s not much technology can do if an employee misconfigures a database or falls for a phishing scam; that’s why organisations must create processes designed to manage those risks.
This involves a lot more legwork than simply purchasing a tool and installing it, as processes must be tailored to the needs of each department.
Implementing appropriate processes requires an organisation-wide commitment, something that takes a lot of time – and that’s before you get to staff awareness training and educating employees to follow the new rules.
These aren’t one-off tasks, either. Organisations should monitor the effectiveness of their processes and look for ways to improve them on a regular basis. Likewise, employees should be kept in the loop about any process changes and receive top-up training courses at least annually.
In addition to staff awareness training, you should enrol managers who oversee data processing practices on advanced training courses.
- The DPO role
Organisations are required to appoint a DPO (data protection officer) if they are a public authority, monitor data subjects on a large scale or process special categories of sensitive data.
Whether your organisation meets any of those criteria or not, there’s no doubting the value of bringing in a GDPR expert to oversee your compliance practices.
Some organisations will hire a DPO on a full-time basis, whereas might decide to hand the responsibilities to an existing employee (as long as there’s no conflict of interest between their roles) or outsourcing the DPO’s tasks to a third party.
GDPR compliance costs per sector
Another major factor in the cost of GDPR compliance is your industry. A Statista report found that, among FTSE 100 companies, banks spent more than three times as much on GDPR compliance as the next closest sector.
These figures are based on Statista’s report and converted to euros.
Smaller organisations won’t spend as much, but these figures are a good indicator of the relative cost per sector.
It’s no surprise that banks have spent the most on data protection, as breaches of their systems give cyber criminals direct access to financial information, which can be abused in any number of ways.
Technology and telecoms companies spend the next most, which is probably due to the sheer amount of data they collect and the complexity of their data processing activities.
Meanwhile, healthcare organisations have spent comparatively little on GDPR compliance. Budgets are notoriously tight in the industry, with organisations often relying on outdated technology.
As a result, it’s one of the worst affected by cyber crime, accounting for dozens of incidents each month.
Cost of non-compliance
If you’re worried about the costs of implementing and maintaining GDPR compliance, know that it’s a much less expensive option than ignoring your requirements.
The threat of cyber crime is at an all-time high, and with so many organisations shoring up their defences, those that aren’t on top of their data protection practices are at even greater risk.
So, how much will a breach cost you? The GDPR gives supervisory authorities the power to issue fines of up to €20 million or 4% of an organisation’s global annual turnover.
That includes not only fines but also enforcement action, where the penalised organisation will be under strict supervision as it addresses areas of non-compliance.
The problems don’t stop there. Ponemon Institute’s 2019 Cost of a Data Breach Report, which accounts for all data breach-related expenses – including loss of productivity and man-hours for the notification and recovery period – found that organisations spent on average about €3.5 million responding to a data breach.
Things are even worse when you account for the unquantifiable negative effects of security incidents, such as reputational damage.
Organisations that suffer egregious data breaches or that handle the response process poorly will lose customers and face an uphill task attracting new partners, creating long-term problems.
Can you demonstrate your GDPR compliance?
One of the most frustrating compliance failures is the inability to prove that necessary measures have been implemented.
The GDPR requires organisations to document their compliance practices. That means it’s possible to implement all the solutions but fall foul of the Regulation simply by having no evidence of what you’ve done.
Our GPDR Toolkit ensures you don’t face this problem, as it contains a complete set of template documents to demonstrate your compliance practices.
Designed and developed by GDPR experts, the toolkit is ideal for anyone who wants help completing their documentation requirements quickly and easily.
But it’s more than simply a set of templates. It also includes:
- Gap analysis and DPIA tools that help you identify compliance weaknesses and how to address them;
- Two licences for the GDPR Staff Awareness E-learning Course; and
- Guidance documents covering data subject consent forms, data retention records, and pseudonymisation, minimisation and encryption.