Gary LaFever, CEO of privacy technology company Anonos, points out that how an organization views the GDPR will impact how much it plans to spend: “In our experience, we see companies falling into two groups when it comes to GDPR-related investments. For companies who approach the GDPR as a ‘compliance only’ function, our observation is that they’re spending six figures (USD) annually. For companies that see the GDPR as a transformative ‘data enablement’ event or process, our observation is that they’re investing seven figures (USD) annually.”
LaFever also believes, “Firms that approach GDPR as a ‘compliance only’ function have underfunded the effort because they have not evaluated the implications and requirements for new organizational and technical measures now required under the GDPR to support new legal basis for processing iterative data analytics, artificial intelligence and machine learning that is no longer supported by broad-based consent as it was in the past prior to the GDPR.”
Looking ahead to GDPR compliance trends
That’s why it’s important to keep an eye on the headcount numbers related to compliance costs. In 2017, IAPP and EY suggest that the new headcount additions will be relatively balanced between dedicated privacy professionals (such as those called on to reduce the risk of a data breach) and those new hires where privacy is just one part of their job description (such as marketing professionals).
For now, the true cost of GDPR compliance is largely unknown. After all, as Bauer notes, “Ironically, even among experts there is still uncertainty about how to comply exactly and how large the risk really is for non-compliance.”
So let’s look ahead to 2019 and 2020, once GPDR has become firmly entrenched and more companies acknowledge that they can no longer wait. It’s easy to imagine a scenario in which companies are focusing even more efforts on hiring new professionals with expertise in the field of data privacy. That will really inflate compliance costs, and raise the stakes for non-compliance.
You can already see this trend at work with IAPP enrollment figures. In 2017 alone, IAPP added 5,500 new members, for a total of 33,000 worldwide. That’s a very impressive 20% annual growth rate. If the rate of growth continues over just the next three years, that would be almost 50,000 members worldwide by the year 2020. In short, privacy requirements and data security concerns about customer data are already leading to rapid growth in the number of privacy professionals.
It’s clear that, going forward, companies will have to think very carefully about how to balance costs and benefits of GDPR compliance. If the world’s largest corporations spend close to $20 million per year on compliance costs related to privacy policies, they will want to have some very tangible proof that all that spending has really paid off.