Share this article on:
As the introduction of the General Data Protection Regulation on May 25, 2018, draws nearer, many are realizing the cost of bringing their organizations into compliance with the GDPR. A recent study by a legal tech company, Axiom, noted that Fortune 500 and FTSE 100 companies may need to spend an estimated £800 million to review contracts and verify that they are in compliance with the GDPR. While not everyone will need to spend as much, there will still be money that needs to be found to assess and implement the necessary elements to continue operating without violating the GDPR.
Two of the major areas that are likely to dictate the overall cost to organizations related to the GDPR are their current processes and the nature and scale of the data they manage.
How Will GDPR Compliance Cost Money?
Arguably, the most significant cost related to GDPR compliance will be the cost of auditing and classifying the data that is held. This is an incredibly important step to take, as it will lead to the identification of the data types being stored or processed; it should identify the risks which need to be addressed in any new procedures; and it should facilitate information relating to individual data subjects being grouped together. Consent must also be evaluated for each piece of data.
Following the audit, any data that is erroneous should either be corrected or deleted; action must be taken to put appropriate technical and organizational measures into place to reduce or mitigate the identified risks; and all the information relating to individual data subjects must be grouped or at least made easily retrievable to comply with individuals’ rights to request copies of their data or to exercise their “right to be forgotten” – to have their data deleted. The previous processes for requesting consent to process data must be examined to check whether they were compliant with the new rules; if not, consent to continue holding or processing data must be sought again.
There will no doubt be a considerable number of hours spent completing the audit, writing the procedures, providing GDPR training to staff, and verifying information, even for companies that only hold smaller amounts of data.
In addition to this, groups employing over 250 members of staff will be required to hire or train a Data Protection Officer, if such a position does not already exist in the organization. It should not be forgotten that employees are also protected by the GDPR, so any employee data and contracts should be reviewed by HR.
How Will GDPR Non-Compliance Cost Money?
While introducing all the necessary elements to comply with the GDPR will undoubtedly be expensive in terms of time and money, non-compliance will certainly cost more. Fines have been approved as part of enforcing the GDPR and the maximum financial penalty is a fine of €20 million or 4% of global annual turnover, whichever is higher.
Crippling financial sanctions could later be compounded by image and reputational damage, with consumers possibly avoiding an organization that does not take the necessary steps to protect their information. Whether the fault is discovered following a fine levied by the supervisory authority or following a data breach, people are likely to take note.
Compliance with the GDPR must now be seen as a cost of doing business. It is a necessary legal hurdle and will also reduce some costs by introducing a harmonious approach to processing data belonging to individuals within the EU. Organizations that fail to take the necessary steps to ensure compliance, or that only implement superficial changes, run the risk of severe monetary and reputational costs.