When the European General Data Protection Regulation (GDPR) finally goes into effect in May 2018, it’s going to come with a significant price tag for the world’s largest corporations. According to a new survey conducted by the International Association of Privacy Professionals (IAPP) and EY, Global 500 companies will spend a combined $7.8 billion over the next year on GDPR compliance. Those escalating compliance costs will mostly result from new hiring, as corporations race to catch up with changes to privacy laws.
More than $15 million in compliance costs
As part of its survey, IAPP and EY asked companies around the world how much they plan to spend on GDPR compliance in the year ahead. On average, the Global 500 companies plan to spend $15.775 million on compliance costs. These costs include a number of factors – such as one-time modifications to products and services and the implementation of new privacy policies throughout the organization.
Given that the smallest company in the Global 500 – Royal Bank of Scotland – has an annual turnover of $21.6 billion, you can immediately begin to grasp the enormity of the task facing these organizations. In part, that’s because the European GDPR, which replaces the data protection directive, is going to have global repercussions beyond any that the European parliament originally imagined.
Preparing for GDPR and thinking about data privacy will impact nearly every organization in every part of the world. Just because a company is based in North America or Asia doesn’t mean that it won’t have to consider the impact of the European GDPR on its ongoing operations. In today’s hyper-global business environment, it’s impossible for a data processor or data controller to wall off what happens in Europe from the rest of the world.
As a result, Global 500 companies have suggested that the bulk of their costs will be related to new hiring, such as the cost to appoint a data protection officer or risk manager. On average, the world’s 500 largest companies plan to hire 5 full-time privacy professionals, as well as 5 new positions that have privacy-related responsibilities.
“Considering the latest IAPP Salary Survey finds the average privacy professional earns a median salary of roughly $90,000, the investment in human resources is clearly significant,” highlighted Sam Pfeifle, Content Director at the IAPP.
Thus, a large Global 500 corporation might decide to hire a team of lawyers and compliance professionals to help with the transition to the new GDPR regime. But it won’t stop there, since GDPR will impact every corner of an organization, from product development to marketing. When putting together a new marketing campaign, for example, corporations will need to keep in mind the types of data that they are collecting, how they are using it, and where they are storing it. If they are collecting data on EU citizens, expanding operations to EU member states or working with EU data subjects, they will have to be even more vigilant.
For now, the biggest hiring frenzy is likely to be in the technology and financial services sector, primarily because these companies use, analyze and store the greatest amount of personal information. Consider, for a moment, how much a social network like Facebook knows about you – it knows your basic demographic data (age, gender, location), it knows information about people in your social graph, and it may even know your location if you are using the Facebook app.
The same is true for financial institutions, which likely know even more about your financial net worth and your spending patterns. Just imagine how much effort a major credit card company like Mastercard or Visa is going to have to put into GDPR compliance. For these institutions, proper risk management is going to be vital.