November 2, 2019

Assessing the Cost Structure of GDPR Compliance Strategies

by Dhiram Shah

The Global Data Protection Regulation (GDPR) went into effect on May 25, 2018. The GDPR is a set of regulations that are intended to tighten data privacy protections throughout the European Union. Many experts are hopeful that these new policies will go a long way to strengthening privacy rights. However, many companies find adhering to the them to be a burden.

The cost of complying with the GPRR is far from insignificant. Companies throughout the world are obligated to adhere to them, provided they have customers within the EU. They were unsure about the expected costs of compliance when the GDPR was first passed, but they are starting to discover that compliance is even more expensive than they initially thought.

All companies that are subject to the policies outlined under the GDPR should consider projected compliance costs. They need to factor these costs into their models and budget accordingly. They can’t afford to skimp on complaints expenditures, because the consequences of failing to meet the requirements will be severe. Companies that violate the terms of the GDPR could be fined up to €10 million or 2% of their global revenues. Companies that fall victim to security breaches will be the biggest targets for a fine, which is concerning since one cybersecurity resource shows attacks have risen 56% in the past year.

What are the costs of complying with the GDPR?
Every company that is subject to the GDPR is trying to accurately assess compliance costs. These costs may be even higher than with FDA cybersecurity guidance. Some recent data has attempted to discuss the cost of complying with GDPR requirements. Unfortunately, there are a lot of nuances that complicate cost projections. Every business needs to evaluate their own situation carefully, because GDPR compliance costs are going to vary tremendously.

One recent survey in the European Union showed that the average company is going to spend $1 million on compliance. However, this survey was given to 300 security executives at large corporations. Smaller companies do not intend to spend nearly as much on compliance.

Four out of five companies with under 10 employees expect to pay under $50,000. On the other hand, 92% of companies with over 1,000 employees expect to pay over $50,000.

These figures seem to contradict the earlier statistics showing that the average cost of GDPR compliance is over $1 million. The reason the average costs are so high is that many multinational companies are paying exorbitant amounts of money to meet compliance targets. There are a couple of reasons for this:

– Large multinational corporations are more likely to be targeted by EU authorities for neglecting to meet compliance requirements. Since they have deeper pockets, they have fewer excuses for failing to abide by these standards. They are also more likely to have the assets to cover penalties, even if they are going to impose a strong burden.
– Large organizations are considerably more likely to be targeted by cyber criminals.

The costs for smaller companies are likely to be a lot lower. However, this does not mean that their compliance plan should be under funded.

What factors affect the costs of compliance?
The following issues play a role in GDPR cost compliance.

Whether the company is a data controller or data processor
Although all companies are subject to the same penalties for failing to abide by GDPR requirements, the regulatory burden is higher on some companies as opposed to others. The law distinguishes between data controllers and data processors. Data controllers are primarily responsible for data protection, because most of it falls under their purview.

The regulatory responsibilities can be difficult to determine, because obligations are sometimes blurred. Multiple companies might play some role in controlling data, so they might attempt to relinquish any responsibility to other parties. However, the law will make a determination as to which organization is ultimately responsible. Companies that are deemed data controllers will have to exhaust more resources into compliance.

The scope of data that will be collected
The amount of data that is collected will contribute to compliance costs. However, the range of data that is
collected will play a much larger role.

Companies will need to pay more for compliance if they:
– Collect data on many different types of companies or customers
– Collect a wide range of data on customers
– Collects personally identifiable data that has not been anonymized

The logistics of safeguarding data is going to be more complicated as the range of data expands.

Weather data will be shared with companies outside the EU
GDPR compliance becomes more complicated for companies transferring data across international lines. If they are trying to share data with third-party companies located outside the European Union, then they are going to need to take extra compliance measures. They will need to make sure their contracts with those companies include GDPR compliance protocols. The controller of the data will bear responsibility, even if the company outside the EU is the negligent party.

The lifetime of the data
Companies that retain data in definitely face much steeper compliance costs. They will want to consider minimizing data retention timeframe in order to keep regulatory costs low.