There are plenty of blog posts detailing GDPR compliance strategies. This is not one of them. Regardless of what you read, there are parts of GDPR that are simply not well defined (Art. 27 2(a) for example) and compliance strategies will change as case law sets precedent and guidelines from regulators are published.
In the big ocean of commerce, we’re a pretty small fish. However, we do have hundreds of customers based in the EU, who collectively represents a meaningful amount of our customer base. In addition to data originating in the EU from EU-based customers, GDPR also applies to any data originating in the EU from our US-based customers. We knew that GDPR was coming, that it was going to be disruptive to our business, and that we had to take it seriously and get compliant. However, we had no idea how much it was going to cost or how long it would take.
This post is about how much it cost our company to become GDPR compliant. It’s important to note that this is our estimated cost for reaching initial compliance (not reaching an ideal compliance state). For example, we have documented the processes for removing PII from our services but several parts of that process are manual. In an ideal compliance scenario those processes would be automated, but that would significantly increase our cost of compliance. Also, there are ongoing compliance costs such as software subscriptions, sub-processor management, and responding to erasure requests which are not included in this estimate. If you haven’t already put together your compliance strategy, we hope this post will help you set realistic cost expectations for the initial part of your journey.
Here are the major categories of expenses:
GDPR Project Manager: $8,500
Primarily time/salary spent establishing and executing the compliance strategy
Development Manager: $3,800
Primarily time/salary spent on integrating new software for active consent management
Privacy Attorney Fees: $7,600
Primary expenses included research, guidance, and multiple meetings
Contract Management Software: $1,800
We purchased PactSafe for managing consent of our Terms of Services, Privacy Policies, and Data Processing Agreements
Total Estimated Cost: $21,700
This cost could have been much higher, but we already had very strict privacy standards in place and were already compliant with existing standards such as Privacy Shield. Overall, we’re fortunate our costs were this low.
If you have any questions about this post or our GDPR compliance strategy, please send those to firstname.lastname@example.org. We’d love to hear from you and share what we’ve learned from this experience.