Becoming General Data Protection Regulation (GDPR) compliant is not cheap (and the money factor could be a reason why so many organizations are dragging their feet toward the May 25, 2018 deadline). According to a PwC survey, of the organizations that have finished their GDPR preparations already, 88 percent said they spent more than $1 million to get ready, while 40 percent said it cost them more than $10 million.
However, protecting data privacy and security involves significant costs, and according to Dark Reading, “nearly half of all companies surveyed say that their overall spending on managing privacy is significantly increasing, while the other half say their spending on privacy management is becoming slightly larger. That means that across the board, investments in privacy are going up.”https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
So, you are going to have data privacy-related costs, with or without GDPR; however, as GDPR compliance is part of your security and privacy plan, you’ll need to think about extra funds.
“GDPR will take considerable effort to implement over and above normal operations, as it is pervasive and covers almost all parts of a public-facing business,” said Gavin Robertson, CTO and SVP of WhamTech. That’s because you will need to include GDPR-specific technologies, tools, and even staff to your security protocols. For example, Robertson said, “Companies probably need to create an EVP or C-level position to ensure compliance along with additional associated staff positions. GDPR will add significantly to the cost of doing business.”
What to Include in Your GDPR Budget
Clearly, creating a budget for GDPR preparation and continued compliance is a must, and the budget should take into consideration the new products, and maybe even services, necessary to layer GDPR on top of, or modify, existing data sources and associated operations/processes.
Beyond that, according to J.R. Cunningham, VP of product management at security solutions integrator Optiv Security, GDPR budgeting generally falls into three distinct areas of the business that all need to be accounted for: legal, IT and cybersecurity.
“Budgeting for the legal team would include such things as third-party agreement modification to account for transparency and consent components within the GDPR, corporate policies to align with the GDPR, and outside counsel retainers for breach response,” Cunningham explained.
IT budgeting would require the largest “slice of the pie,” because it is necessary for most organizations that will be retooling applications to support “opt-in” consent. “For most organizations, this is the heavy lifting for GDPR compliance and is a fundamental paradigm shift away from the ‘opt-out’ culture that has existed to date,” Cunningham said.
Cybersecurity budgeting needs to focus on data governance, data discovery, data protection and incident response. These critical elements of the information security program become even more important under the GDPR.
The GDPR Planning Team
GDPR requires someone to be named the Data Protection Officer (DPO), who will be responsible for interpreting anything GDPR related and holding the organization accountable for remaining in compliance. However, it is not the DPO’s job to be responsible for implementation of new privacy regulations. Just as there need to be distinct business areas covered in the budget, different business departments need to be represented on the overall GDPR strategy team, which will include instituting a budget. In addition to someone from the C-suite or executive leadership team, key individuals who should contribute to a strategic plan and budget include:
- The controller, who sets and oversees the way data will be processed and ensures regulatory compliance from outside contractors
- The processor of the data on behalf of the controller
- The data protection officer, who oversees compliance and communicates with data protection authorities
Cunningham added that budgeting and planning for the GDPR also should include feedback from three core business areas, including:
- Legal, which defines the scope of GDPR and ensures third-party contracts are appropriate and accurate
- IT, which assumes the mountainous job of making sure legacy IT systems can adequately protect customer data
- Information security, which takes on the hefty burden of mitigating breach risk to avoid potentially business-crushing financial penalties
You may want to consider adding representatives from HR and marketing as well. These are the departments that will be handling the bulk of your organization’s most sensitive data and should already be leading the way on data privacy.
The preparations for GDPR have been the focus of attention, especially during the last 12 months leading up to the May 25 go date. However, just because the preparations are done and the new protocols are in place doesn’t mean that you can let things slide.
“GDPR is not just a one-off or superficial undertaking,” said Robertson. “Almost all aspects of data management are involved, including attribute-level access control and extensive data security.”
The positive, he added, is that at the end of the day, GDPR implementation could significantly improve and leverage the use of data and provide single-person/customer/patient views that could literally transform businesses.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba