GDPR compliance will impact small and mid-sized businesses as well
In tabulating the estimated compliance costs for full GDPR compliance, the IAPP and EY also pointed out that even small- and mid-sized businesses (SMBs), typically defined as organizations with less than 5,000 employees, will feel the bite of GDPR. On average, these organizations will spend $550,000 on GDPR compliance. Those costs include the hiring of two new full-time privacy professionals and another two full-time employees with some privacy responsibilities.
Faced with such a high cost, what is the smart approach to compliance for SMBs? Pfeifle suggests that, “The best way to minimize compliance costs is to follow faithfully the privacy principle of data minimization. If you don’t have personal data, you don’t have to worry about GDPR compliance. It costs very little to put data minimization and data destructions policies in place and adhere to them. Further, instituting awareness training for all employees costs relatively little but can have a major impact down the line as employees are ready to identify PII, minimize its collection, and raise red flags to management when there is a concern about compliance.”
On top of hiring professionals, you have to add in a range of other GDPR compliance costs, such as new technological solutions to aid in compliance, as well as fees paid to outside attorneys and consultants. Thus, while a large Global 500 company might have the budget to hire a full-time privacy lawyer, a smaller organization would likely have to pay an outside consultant or lawyer to come in and oversee the transition to the GDPR – as well as pay for a third-party technological solution.
According to Felix Bauer, co-founder of the data anonymization platform Aircloak.com, it’s important not to lose sight of the technological investment that might be required, “The fact that much of the investment is planned for human resources points out an inherent problem – many of the necessary processes are not yet automated, but rather very much manual and decided on case-by-case basis. In a time of rising data collection and consumption, and crucially less and less transparent processing, technological solutions will be paramount.”
GDPR compliance as a strategic issue
While the IAPP-EY survey primarily focused on “one-time” costs – such as the cost of updating a currently existing suite of products or services – it’s easy to see how these costs imposed by supervisory authorities are actually ongoing and recurring. That’s because GDPR compliance is increasingly becoming a strategic priority, and not just a compliance issue, at the world’s largest corporations.
For example, back in 2016, analysts were viewing GDPR compliance as something akin to going to the dentist’s office for a routine annual checkup. The process to comply with the GDPR might be painful, but you’d fix whatever needed to be fixed in terms of information security and privacy laws. After these initial assessments, you’d simply move on to other issues.
But by 2017, the picture surrounding compliance costs had dramatically changed. Now privacy professionals are discussing the various ways that GDPR will alter the competitive playing ground in various industries. When one company can promise to protect your data and another can’t – which one would you trust when it’s time to buy a new product or service? From this perspective, paying more for GDPR compliance could actually turn into a competitive advantage.