The day when the General Data Protection Regulation will be implemented is very near – May 25, 2018. One of the things that organizations are realizing is the cost associated with compliance to the GDPR. Axiom, a legal tech company, conducted a study recently and found that FSTE100 and Fortune 500 companies may need to allocate £800 million more or less for reviewing contracts and verifying their company’s compliance with the GDPR. Not all companies will spend that much but the fact is money will be spent in order for companies to implement the required changes that will allow them to operate without violating the GDPR.
Two major elements that will affect the cost of GDPR compliance are the company’s current processes and the nature and scale of data it deals with. The cost associated with audit and data classification is perhaps the cost that is most significant to GDPR compliance. Audit is the first and very important step to compliance because it leads to the identification of data types that are stored and processed by a company. In this step, risks must be identified and addressed before any new procedures are implemented; there must be a means to facilitate information to group together individual data subjects. How consent is obtained for each piece of data is to be evaluated as well.
After the audit step, erroneous data must be corrected or deleted. With regards to the mitigation of identified risks, appropriate technical and organizational measures must be put in place. By grouping data subjects as done in the previous step, it is easier to retrieve data to comply with the request of individuals to get copies of their data or to have their data deleted, the so-called “right to be forgotten.” Obtaining consent before processing data, which was also done in the previous step, must be re-examined to make sure of compliance to the GDPR; should there be any data that does not come with consent, it should be requested again before holding or processing the data.
Completing the audit, verifying information, writing procedures and training personnel will surely take many hours even if the company manages only a small amount of data. If a company has over 250 staff, it is necessary to have a Data Protection Officer. If there’s none that holds such a position yet, one must be hired and trained. The HR should also remember that the GDPR protects employees as well, hence the need to review employee data and contracts.
If complying to all the requirements of the GDPR is costly, just think that non-compliance will be even more costly. The maximum financial penalty of non-compliance with the GDPR is 4% of global annual turnover or €20 million, whichever is higher. In addition, financial sanctions may also be imposed on the violating company resulting in image and reputational damage of organizations that do not take the required action to protect the information of data subjects.
Compliance with the GDPR will definitely be an added cost to businesses. It is a legal hurdle that must be overcome by organizations that process the personal data of individuals based in the EU. Just keep in mind that not implementing the required steps to comply with the GDPR will have consequential monetary and reputational costs.