Before the new European General Data Protection Regulation (GDPR) went into effect in May 2018, both small- and mid-sized companies and larger enterprises found themselves scrambling to comply with a regulation they found vague and complex, with no clear path to achieving compliance. Now, one year later, we have a much better view of not just the GDPR cost to prepare for the new regulatory environment, but also how much organizations are spending on continuous compliance. A new report from DataGrail, “The Cost of Continuous Compliance,” provides valuable benchmarking data on just how much organizations are spending – both in terms of financial resources and time – in order to keep up with the demands of continuous compliance.
The financial and operational costs of continuous compliance
As the new DataGrail report makes clear, “The cost of privacy compliance is more than financial – it is operational and it is an ongoing cost.” That is especially the case now that the introduction of the European GDPR has opened the door to additional regulation around the world. Next up on the list of privacy compliance is the California Consumer Protection Act (CCPA), set to go into effect in January 2020. After months of preparing for the GDPR, and then another year of meeting all the regulatory demands of the GDPR, organizations are now scrambling to meet all the additional demands of the CCPA.
As the report makes clear, continuous compliance is rarely scalable without the right technological solution. This means that all the time and effort spent in preparing for the GDPR and putting into place new processes and workflows for managing personal data will need to be repeated in order to comply with the CCPA. Without the ability to scale, the total GDPR cost will only compound over time.
GDPR cost benchmarking
So how much did organizations spend on preparing for the GDPR? In terms of additional spending on consulting services and technological solutions, 74% of small- and mid-sized organizations spent more than $100,000. Notably, 20% spent more than $1 million. In a finely-grained analysis of the data from DataGrail, it appears that more than one-third (34%) of these organizations spent anywhere from $100,000 to $499,999 on GDPR compliance. Only 6% of all organizations spent less than $50,000. When it comes to larger enterprises, the spending demands to handle personal data were even greater. Fully one-third of all enterprises (defined as businesses with 1000+ employees) spent more than $1 million on GDPR compliance.
However, the full GDPR cost was actually much higher than that, according to the report. As DataGrail points out, when calculating the GDPR cost, you also have to take into account the opportunity cost of having your best employees and top decision-makers engaged in GDPR compliance rather than actually running the business. The basic picture that emerges from the report is that there were a large number of employees involved in a large number of meetings, all resulting in a large opportunity cost.
For example, nearly two-thirds (67%) of those organizations surveyed by the report involved at least 25 employees in the preparation process. Thus, when calculating the total GDPR cost, you have to factor in this lost time. That’s because 80% of organizations met at least several times per month, trying to prepare for the upcoming GDPR. The average company, says DataGrail, spent 2,100 hours in meetings. And, for larger enterprises, that figure is much closer to 9,000 hours. All of those lost hours ramped up the total GDPR cost considerably.
And, if you factor in the time spent by key decision-makers (such as the data protection officer) on continuous compliance, then the GDPR cost escalates further. These key decision-makers, instead of focusing on ways to grow revenue or improve profitability, were instead updating policies on processing activities, establishing new workflows to deal with data breaches, improving security controls, and conducting a full data inventory of all personal information and data processed in order to comply with the GDPR.
And, yet, despite all this time and effort, only 51% of organizations self-reported themselves as GDPR-compliant by the May 25, 2018 deadline. Another 31% of organizations became fully GDPR-compliant by the end of 2018, and another 14% of organizations will be fully GPDR-compliant by the one-year anniversary of the GDPR on May 25, 2019. That still leaves 4% of organizations that are still scrambling to become GDPR-compliant by the end of 2019.
Scaling up for continuous compliance
One big factor that many organizations did not take into account, says DataGrail, is that compliance is no longer a one-time affair. Instead, the focus needs to be on continuous compliance. The CCPA is next on the horizon, and there’s plenty more regulation to come after that, but most organizations are unable to scale accordingly. According to the report, 7 in 10 organizations have put systems into place that will not scale as new regulations emerge. That makes responding to data requests in real-time much more challenging as new regulations go into effect.
To cope with all the manual processes needed to comply with demands for risk assessments and data security demands, most organizations have been staffing up at a prodigious (but unsustainable) pace. For example, 90% of those surveyed plan to hire at least 3 new people to manage privacy issues over the next 24 months. That’s in addition to the 25-50 people that the average organization has working on continuous compliance issues.
So what’s the best solution? It might not be a surprise here, given that DataGrail offers the first purpose-built privacy management platform, that the answer is better technological solutions capable of dealing with new processes and technologies. Dealing with GDPR requirements can be streamlined considerably if you are working with a technological solution that integrates with all of your other business software from vendors like Salesforce and Oracle. That enables you to deal with Data Subject Requests (DSRs) much more conveniently and effectively.
The future of continuous compliance
Looking ahead to 2020, it’s clear that organizations of all sizes are going to have to become much smarter about how to deal with continuous compliance. Hiring a lot of new employees and spending a lot of time in meetings is not a viable strategy. What’s needed is a broad, comprehensive solution that helps to reduce the GDPR cost of compliance, as measured in both financial and human resource terms. One year after the GDPR went into effect, it’s a lesson that organizations are finally starting to learn. Compliance with the GDPR was just the start of a long-term, ongoing process.