What Are the Real Costs of GDPR Compliance?
When the GDPR came into being on 25th May, 2018, many companies were not compliant. It’s hard to know how many fell short, but a report by Crowd Research Partners before the deadline suggested up to 60%. This figure varied depending on the survey you looked at, but many businesses still do not comply today.
Some proof that companies worldwide were not complying with GDPR came in September 2018. Research from Talend found that 70% of companies failed to meet individual requests for copies of personal data within the one-month GDPR limit. The retail industry fared poorly with a 76% fail rate.
In November 2018, the International Association of Privacy Professionals (IAPP) carried out its Privacy Governance survey. From 550 respondents, 56% said they were either still far from compliance or would never comply. For large companies with data sprawl, GDPR compliance is especially taxing.
More recently, in a January 2019 Cisco report, 59% of companies from 3,200 respondents said they were meeting most or all GDPR requirements. The state of GDPR compliance worldwide varied between 42% and 76% from country to country.
GDPR compliance is tough for companies, whether large or small. While it’s more complex and expensive for big companies to comply, naturally, the same companies have deeper pockets. Prior to the May 2018 deadline, FTSE 350 and Fortune 500 businesses had spent many millions of pounds and billions of dollars on GDPR compliance.
Small to medium-sized businesses have less money to spend on cyber security or in-house data protection expertise. Such companies are also less likely to face heavy fines for GDPR non-compliance. As the UK’s GDPR enforcer, the Information Commissioner’s Office (ICO) declared that penalties would be “fair and proportional.”
It’s safe to assume the onus on big companies to comply with GDPR has been more urgent. You might also rightly imagine there’s been a lull in GDPR activity since the deadline, particularly among smaller companies. After all, the ICO were never going to chase every minor infringement from the gun, despite all the press rhetoric about massive fines.
Although smaller companies could be forgiven for taking their time during this period of transition, it would be a mistake for them to let their situation stagnate. Steady progress towards GDPR compliance rests more easily with regulators than no effort whatsoever.
The real cost of GDPR
All companies, whether located in Europe or not, must be GDPR-compliant if they handle the personal data of EU-based clients. The cost of compliance varies hugely. When a Netsparker survey (April 2018) asked 302 US business executives how much they were spending on GDPR compliance, the answers were as follows:
- Over $1 million = 10.3%
- $100,000 to $1 million = 23.8%
- $50,000 to $100,000 = 35.8%
- $10,000 to $50,000 = 20.2%
- Less than $10,000 = 9.9%
GDPR case study of a small company
Let’s say a small company of 1-9 employees spends $20,000 on GDPR compliance. A rough breakdown of costs might look like this:
- GDPR Project Management ($7,500): Time and salary spent with personnel devising and executing a compliance strategy.
- Technical Development ($3,500): Integration of new software for seeking and recording active consent.
- Lawyer’s Fees ($7,500): Research, multiple meetings and legal advice.
- Contract Management Software ($1,500): For all GDPR contracts, such as privacy policies, data processing agreements (i.e. between controllers and processors) and terms of services.
GDPR365: An easy solution for small and mid-sized companies
While data regulators tend to be more lenient towards smaller companies with fewer resources, the ability to show a path towards GDPR compliance remains important. Damaging fines are more likely if companies are apathetic. Making suitable CRM changes and switching to GDPR-ready software demonstrates good intent and simplifies the process of compliance.
With this in mind, GDPR365 compliance software offers an ideal way for small and mid-sized companies to move towards compliance and take a proactive role in doing so. You can start this journey by signing up for a 14-day free trial and getting instant access to your account. After the first two weeks, you’ll have the option of signing up to a GDPR365 plan, starting at £45 or €50 per month (up to 9 employees, 2 users, and 10 processor contracts).
GDPR365 cloud-based software supports GDPR compliance in many ways: GDPR guidance, data subject risk assessment, DPO (data protection officer) support for ongoing compliance, contract management, GDPR staff training, subject access management, limiting outsourced personal data to processors, data breach management and compliance assessment.
By helping to create a complete audit trail of compliance, GDPR365 safeguards companies against accusations of inertia. It takes about three months to complete the compliance process. Businesses also have the option of onboarding from £500 or €560 so they can quickly get up to speed with the software. Once the compliance process is complete, you can validate it using a lawyer. This is still much cheaper than engaging the lawyer’s services from the outset.
Data breaches since GDPR
The 28th January, 2019 was Data Protection Day. To mark the occasion, the European Commission issued a joint statement, which noted that national Data Protection Authorities had received 95,000 complaints from citizens since the inception of GDPR. Some of the activities drawing most GDPR complaints included telemarketing, promotional e-mails and video surveillance/CCTV.
Since the May 25th, 2018 deadline, there have been a record 41,502 data breaches. Three major fines were issued to this effect:
- €20,000 to a social network operator for failing to secure users’ data
- €5,280 to a sports betting café for unlawful video surveillance
- €50 million to Google for lack of consent on Ads
If you’re running a business, however small, take a step now to comply with GDPR and avoid the cost of inaction!