When the European General Data Protection Regulation (GDPR) finally goes into effect in May 2018, it’s going to come with a significant price tag for the world’s largest corporations. According to a new survey conducted by the International Association of Privacy Professionals (IAPP) and EY, Global 500 companies will spend a combined $7.8 billion over the next year on GDPR compliance. Those escalating compliance costs will mostly result from new hiring, as corporations race to catch up with changes to privacy laws.
More than $15 million in compliance costs
As part of its survey, IAPP and EY asked companies around the world how much they plan to spend on GDPR compliance in the year ahead. On average, the Global 500 companies plan to spend $15.775 million on compliance costs. These costs include a number of factors – such as one-time modifications to products and services and the implementation of new privacy policies throughout the organization.
Given that the smallest company in the Global 500 – Royal Bank of Scotland – has an annual turnover of $21.6 billion, you can immediately begin to grasp the enormity of the task facing these organizations. In part, that’s because the European GDPR, which replaces the data protection directive, is going to have global repercussions beyond any that the European parliament originally imagined.
Preparing for GDPR and thinking about data privacy will impact nearly every organization in every part of the world. Just because a company is based in North America or Asia doesn’t mean that it won’t have to consider the impact of the European GDPR on its ongoing operations. In today’s hyper-global business environment, it’s impossible for a data processor or data controller to wall off what happens in Europe from the rest of the world.
As a result, Global 500 companies have suggested that the bulk of their costs will be related to new hiring, such as the cost to appoint a data protection officer or risk manager. On average, the world’s 500 largest companies plan to hire 5 full-time privacy professionals, as well as 5 new positions that have privacy-related responsibilities.
“Considering the latest IAPP Salary Survey finds the average privacy professional earns a median salary of roughly $90,000, the investment in human resources is clearly significant,” highlighted Sam Pfeifle, Content Director at the IAPP.
Thus, a large Global 500 corporation might decide to hire a team of lawyers and compliance professionals to help with the transition to the new GDPR regime. But it won’t stop there, since GDPR will impact every corner of an organization, from product development to marketing. When putting together a new marketing campaign, for example, corporations will need to keep in mind the types of data that they are collecting, how they are using it, and where they are storing it. If they are collecting data on EU citizens, expanding operations to EU member states or working with EU data subjects, they will have to be even more vigilant.
For now, the biggest hiring frenzy is likely to be in the technology and financial services sector, primarily because these companies use, analyze and store the greatest amount of personal information. Consider, for a moment, how much a social network like Facebook knows about you – it knows your basic demographic data (age, gender, location), it knows information about people in your social graph, and it may even know your location if you are using the Facebook app.
The same is true for financial institutions, which likely know even more about your financial net worth and your spending patterns. Just imagine how much effort a major credit card company like Mastercard or Visa is going to have to put into GDPR compliance. For these institutions, proper risk management is going to be vital.
GDPR compliance will impact small and mid-sized businesses as well
In tabulating the estimated compliance costs for full GDPR compliance, the IAPP and EY also pointed out that even small- and mid-sized businesses (SMBs), typically defined as organizations with less than 5,000 employees, will feel the bite of GDPR. On average, these organizations will spend $550,000 on GDPR compliance. Those costs include the hiring of two new full-time privacy professionals and another two full-time employees with some privacy responsibilities.
Faced with such a high cost, what is the smart approach to compliance for SMBs? Pfeifle suggests that, “The best way to minimize compliance costs is to follow faithfully the privacy principle of data minimization. If you don’t have personal data, you don’t have to worry about GDPR compliance. It costs very little to put data minimization and data destructions policies in place and adhere to them. Further, instituting awareness training for all employees costs relatively little but can have a major impact down the line as employees are ready to identify PII, minimize its collection, and raise red flags to management when there is a concern about compliance.”
On top of hiring professionals, you have to add in a range of other GDPR compliance costs, such as new technological solutions to aid in compliance, as well as fees paid to outside attorneys and consultants. Thus, while a large Global 500 company might have the budget to hire a full-time privacy lawyer, a smaller organization would likely have to pay an outside consultant or lawyer to come in and oversee the transition to the GDPR – as well as pay for a third-party technological solution.
According to Felix Bauer, co-founder of the data anonymization platform Aircloak.com, it’s important not to lose sight of the technological investment that might be required, “The fact that much of the investment is planned for human resources points out an inherent problem – many of the necessary processes are not yet automated, but rather very much manual and decided on case-by-case basis. In a time of rising data collection and consumption, and crucially less and less transparent processing, technological solutions will be paramount.”
GDPR compliance as a strategic issue
While the IAPP-EY survey primarily focused on “one-time” costs – such as the cost of updating a currently existing suite of products or services – it’s easy to see how these costs imposed by supervisory authorities are actually ongoing and recurring. That’s because GDPR compliance is increasingly becoming a strategic priority, and not just a compliance issue, at the world’s largest corporations.
For example, back in 2016, analysts were viewing GDPR compliance as something akin to going to the dentist’s office for a routine annual checkup. The process to comply with the GDPR might be painful, but you’d fix whatever needed to be fixed in terms of information security and privacy laws. After these initial assessments, you’d simply move on to other issues.
But by 2017, the picture surrounding compliance costs had dramatically changed. Now privacy professionals are discussing the various ways that GDPR will alter the competitive playing ground in various industries. When one company can promise to protect your data and another can’t – which one would you trust when it’s time to buy a new product or service? From this perspective, paying more for GDPR compliance could actually turn into a competitive advantage.
Gary LaFever, CEO of privacy technology company Anonos, points out that how an organization views the GDPR will impact how much it plans to spend: “In our experience, we see companies falling into two groups when it comes to GDPR-related investments. For companies who approach the GDPR as a ‘compliance only’ function, our observation is that they’re spending six figures (USD) annually. For companies that see the GDPR as a transformative ‘data enablement’ event or process, our observation is that they’re investing seven figures (USD) annually.”
LaFever also believes, “Firms that approach GDPR as a ‘compliance only’ function have underfunded the effort because they have not evaluated the implications and requirements for new organizational and technical measures now required under the GDPR to support new legal basis for processing iterative data analytics, artificial intelligence and machine learning that is no longer supported by broad-based consent as it was in the past prior to the GDPR.”
Looking ahead to GDPR compliance trends
That’s why it’s important to keep an eye on the headcount numbers related to compliance costs. In 2017, IAPP and EY suggest that the new headcount additions will be relatively balanced between dedicated privacy professionals (such as those called on to reduce the risk of a data breach) and those new hires where privacy is just one part of their job description (such as marketing professionals).
For now, the true cost of GDPR compliance is largely unknown. After all, as Bauer notes, “Ironically, even among experts there is still uncertainty about how to comply exactly and how large the risk really is for non-compliance.”
So let’s look ahead to 2019 and 2020, once GPDR has become firmly entrenched and more companies acknowledge that they can no longer wait. It’s easy to imagine a scenario in which companies are focusing even more efforts on hiring new professionals with expertise in the field of data privacy. That will really inflate compliance costs, and raise the stakes for non-compliance.
You can already see this trend at work with IAPP enrollment figures. In 2017 alone, IAPP added 5,500 new members, for a total of 33,000 worldwide. That’s a very impressive 20% annual growth rate. If the rate of growth continues over just the next three years, that would be almost 50,000 members worldwide by the year 2020. In short, privacy requirements and data security concerns about customer data are already leading to rapid growth in the number of privacy professionals.
It’s clear that, going forward, companies will have to think very carefully about how to balance costs and benefits of GDPR compliance. If the world’s largest corporations spend close to $20 million per year on compliance costs related to privacy policies, they will want to have some very tangible proof that all that spending has really paid off.