The introduction of the European General Data Protection Regulation, more commonly known as the GDPR, occurred on May 25, 2018 and led to a number of changes for companies and many other types of organizations. Large amounts of money were spent in efforts to bring organizations into compliance with the new law, in particular reviewing and updating contracts. One estimation published by Axiom, who work on legal technologies, put forward that Fortune 500 and FTSE 100 enterprises would need to spend over £800 million on contract reviews alone. Obviously, these are the biggest players in the markets and their needs would be greater than most. Not all entities would have been required to commit so much to compliance but all organizations certainly needed to examine their exposure and take action to implement the necessary changes.
While many companies have already completed the initial phases of their GDPR compliance plans, compliance itself is an ongoing issue and other companies are lagging behind. Some areas that are likely to require continuous investment include data management and process evaluation. The amount of money that will be needed in these areas depends largely on the procedures which are already in place and the quantity of data being stored and collected by the organization.
How does GDPR cost money?
A significant ongoing cost of GDPR compliance will be continuously auditing, monitoring, and classifying information. It is one of the most fundamental steps as it will indicate how data that has recently been collected or that has not yet been examined should be dealt with. New data may mean new risks and these must be constantly evaluated in the context of the organization’s standard procedures. Proper classification will ensure that data relating to each individual will be properly catalogued and linked or stored with other data on the same person. This in turn will facilitate reviews of consent.
GDPR requires vigilance. Data that is found to be incorrect or where a relevant record of consent is not available must be amended or deleted. Procedures that were introduced to facilitate these audits must be checked for purpose and updated as necessary. Even if no requests have been received from individuals for copies of their stored data or for all data relating to them to be deleted – the so-called “right to be forgotten” – organizations must ensure that they are able to fulfil such requests by checking that all data relating to each individual is stored together or at least linked for easy retrieval.
An important area which will also introduce ongoing costs is the training of employees to correctly manage data and use these systems. Overlooked this aspect could render all other investments in GDPR compliance useless.
Consequences of non-compliance with GDPR
Even though the upfront costs related to GDPR are significant, whether it be system audits, legal reviews or the pop-ups we are now all familiar with on websites, the costs of non-compliance can be much more severe. Breach of GDPR could lead to financial penalties on the company of either 4% of global annual revenue or €20 million, whichever is higher. This is obviously a serious risk and GDPR compliance should therefore not be forgotten or treated as a non-priority item.