GDPR Cost and Implementation Concerns for Businesses

Arun Subramanian
The Startup
Published in
4 min readJun 26, 2019

Photo by Sara Kurfeß on Unsplash

On May 25, Europe’s new data protection law went into effect. The General Data Protection Regulation (GDPR) is designed to protect the information of the citizens of the European Union. Any business that deals with EU citizen data will have to comply. Noncompliance has high penalties.

Companies are still scrambling to figure out if they are following all the rules. The vagueness of the regulations makes GDPR especially confusing. But businesses need to factor GDPR costs into their operational expenses. So it’s important to understand the various components that will affect the bottom line.

Upfront GDPR Costs

The initial cost of GDPR implementation will depend on the current operating procedures of a business. While British firms have spent $1.1 billion in preparing for GDPR, American companies have spent a staggering $7.8 billion. The reason for this discrepancy is that British firms already had some of the processes and systems in place. They had set those up to comply with the previous version of the European data protection laws. This small example illustrates how GDPR costs will vary widely from company to company.

Here are some of the costs that businesses will have to look into for GDPR compliance:


Businesses have to ensure that they are in control of the data they collect and store about EU consumers. They need to have processes to obtain full consent. Technology solutions have to provide data governance and threat detection capabilities. The system also needs the capability to delete all information while ensuring the stored data is portable. Processes need to be in place to inform the users of any breach within 72 hours. Depending on the current situation of the infrastructure, it can mean minor changes to major overhauls. Businesses that are using cloud and software-as-a-service (SaaS) applications might have additional challenges. Even minor changes can add up in aggregate. So, businesses should run an audit to figure out where they stand.

Human Resources

New technology implementation will require additional headcount. But that’s not all. GDPR requires that any company that has more than 250 employees or processes more than 5,000 people…

Arun Subramanian
The Startup

I’m programmer, wannabe designer, and trying to be an entrepreneur.