The General Data Protection Regulations (GDPR) are a complex piece of legislation, and the cost of compliance can be significant. Axiom, a law firm specialising in technology, recently released a study showing that Fortune 500 and FTSE 100 companies may need to spend an estimated £800 million to review contracts and ensure that their practices are compliant with GDPR. While very few organisations are required to invest such a staggering sum, organisations of all sizes face a substantial price tag associated with compliance.
Costs Associated with Compliance
One of the primary financial hurdles that businesses face is the cost of auditing and classifying all of the consumer data they hold — although expensive, completing the audit is a crucial step towards compliance. Businesses benefit significantly from completing the audit, as it allows them to identify the data types being stored or processed and the risks to the security of that data.
Auditing is a labour-intensive and time-consuming process, and as such the costs associated with it are considerable. Additionally, there are indirect, associated costs which businesses much handle, such as evaluating consent for each piece of data.
The audit can highlight areas in which the business may need to focus their attention (and finances) to ensure they are GDPR compliant. For example, an audit may reveal data which is inaccurate. Businesses should either take steps to correct this data or delete it.
The audit may reveal particular security or privacy issues which the business must rectify. GDPR has strict requirements regarding data security, and organisations must implement adequate technical safeguards in place to ensure that the integrity of personal data is maintained. These safeguards can be extremely costly to implement, especially for smaller organisations.
GDPR also mandates that all the information relating to individual data subjects must be grouped or at least made easily retrievable to comply with individuals’ rights to request copies of their data or to exercise their “right to be forgotten”. Businesses must reassess previous processes through which consumers’ consent to process data was obtained. These may not be compliant with GDPR’s new rules, in which case the business must obtain consent again to continue holding or processing data.
Any organisation that is required to comply with GDPR must provide training to their employees and inform them of their responsibilities under the regulations. This training represents an ongoing cost to an organisation, as staff must be regularly reminded of their responsibilities and be updated on new additions to GDPR.
In addition to staff training, organisations that have more than 250 employees are required to nominate a Data Protection Officer (DPO), who oversees the security of any data that the organisation handles. If the business does not have a suitable candidate, they must employ an external candidate.
Cost of GDPR Violations
As can be seen above, the cost to an organisation of complying with GDPR can be significant. However, the cost of violating GDPR is even higher. The EU can fine organisations for GDPR non-compliance, with the size of the fine varying on the type and severity of the violation. The maximum fine, reserved for particularly egregious breaches, is €20 million or 4% of global annual turnover, whichever is higher.
In addition to the financial costs, organisations who are found to be non-compliant with GDPR may suffer severe reputational damage. Consumers are becoming increasingly concerned about how businesses use their data and may wish to avoid organisations who do not take their responsibilities seriously. The implementation of GDPR received a great deal of press coverage; significant violations may receive the same treatment.