GDPR Cost and Implementation Concerns for Businesses
On May 25, Europe’s new data protection law went into effect. The General Data Protection Regulation (GDPR) is designed to protect the information of the citizens of the European Union. Any business that deals with EU citizen data will have to comply. Noncompliance has high penalties.
Companies are still scrambling to figure out if they are following all the rules. The vagueness of the regulations makes GDPR especially confusing. But businesses need to factor GDPR costs into their operational expenses. So it’s important to understand the various components that will affect the bottom line.
Upfront GDPR Costs
The initial cost of GDPR implementation will depend on the current operating procedures of a business. While British firms have spent $1.1 billion in preparing for GDPR, American companies have spent a staggering $7.8 billion. The reason for this discrepancy is that British firms already had some of the processes and systems in place. They had set those up to comply with the previous version of the European data protection laws. This small example illustrates how GDPR costs will vary widely from company to company.
Here are some of the costs that businesses will have to look into for GDPR compliance:
Technology
Businesses have to ensure that they are in control of the data they collect and store about EU consumers. They need to have processes to obtain full consent. Technology solutions have to provide data governance and threat detection capabilities. The system also needs the capability to delete all information while ensuring the stored data is portable. Processes need to be in place to inform the users of any breach within 72 hours. Depending on the current situation of the infrastructure, it can mean minor changes to major overhauls. Businesses that are using cloud and software-as-a-service (SaaS) applications might have additional challenges. Even minor changes can add up in aggregate. So, businesses should run an audit to figure out where they stand.
Human Resources
New technology implementation will require additional headcount. But that’s not all. GDPR requires that any company that has more than 250 employees or processes more than 5,000 people in a 12-month period needs to hire a Data Protection Officer (DPO). A DPO can cost from £50,000 ($71,000) to £250,000 ($354,000). If businesses have to comply with the DPO requirement, they need to make sure they have enough budget for both the DPO and the associated support staff.
Legal Costs
The regulations are murky. European courts are still deciding on cases that arose from the previous version of data protection regulations. So companies need to hire lawyers to figure out the various compliance issues. Businesses need to look at the local marketplace and estimate the costs of hiring legal help. Legal fees for a large company can go into the millions. So early evaluation is important.
GDPR Costs of Noncompliance
Companies are rushing to comply because there are both financial and reputational risks associated with noncompliance.
Financial Penalties
The penalty for GDPR noncompliance can be 20 million euros or 4 percent of the company’s annual global turnover, whichever is higher. Facebook’s recent Cambridge Analytica case can serve as a great example. In this situation, Facebook was fined £500,000 ($700,000) for data mining without EU users’ consent. But this is before GDPR went into effect. If it had fallen under GDPR jurisdiction, Facebook could have faced a fine of up to $1.5 billion.
Damages to Reputation
Even though most companies are worried about the financial ramifications of noncompliance, there are also risks to their reputations. In the past, most companies were reluctant to release data breach information because they worried about losing consumer trust. GDPR makes it mandatory to inform users of any breach. It means GDPR compliance can result in reputation damage. So businesses need to factor that into their cost calculations.
Efforts of Small Businesses to Control Costs
The heavy financial burden of GDPR compliance is especially hard for small businesses. They are unable to afford the necessary legal and security experts to comply with all the rules. So small businesses are changing their operational models or shutting down certain parts of their businesses. They are also scraping unnecessary data to avoid setting up new infrastructure.
The Silver Lining of GDPR
No doubt GDPR is a costly change for businesses. But the recent increase in data breaches that have impacted Equifax, Yahoo, and others show the need for better data security. So even though GDPR costs are high, compliance ensures better business practices that will lead to better profitability. Also, learning more about the regulations will help businesses optimize costs. As more businesses follow data protection by design principles, GDPR can end up saving money in the long run.
Originally published at https://blog.yumfog.com on June 26, 2019.
