One way or another, GDPR comes with a big price tag for companies. If you don’t become GDPR compliant, a data breach could cost you either $25 million or 4 percent of your annual revenue, whichever is more.
However, a couple of recent studies found that making the organization GDPR compliant is costing millions of dollars. The Netsparker GDPR Survey talked with 300 C-level security executives and found 80 percent of those in a micro company (1-9 employees) expect GDPR compliance to cost their business under $50,000, and most (92 percent) of those working at an enterprise (more than 1,000 employees) expect GDPR compliance to cost their business over $50,000. But that $50,000 is a low number, with one in 10 saying they expect to spend over $1 million to become compliant and another quarter expect costs to run between $100,000 and $1 million.
A second study from PwC, also surveying 300 executives on an international scale, found 60 percent of leaders plan to spend at least $1 million on GDPR, while 12 percent believe their total costs will be over $10 million.
However, as the PwC also pointed out, while these companies might be spending a lot of money to become compliant, they see it as a way to make their organization stand out and, in turn, may bump up revenues with new business from privacy-savvy consumers:
The survey found that some companies see their GDPR programs as a potential differentiator in the market. Among companies who have finished their GDPR preparations, 38 percent have engaged their investor relations departments, a potential indicator that they hope to highlight early compliance to help drive a competitive advantage.
Will the spending pay off in the long run? That remains to be seen. As a Forbes article stated, we don’t know yet what a reasonable level of protection will be in a GDPR world. I’m not sure companies can be doing too much to improve their privacy stance, but it’s going to take some time to realize if they’ve done too little. I think Ferruh Mavituna, CEO of Netsparker, was on the right track when he made this comment in a formal statement:
People are taking GDPR seriously because of how many high-profile data breaches we have all witnessed in the last few years. In the past, blame for data breaches was shifted around from party to party. Was it the business? The individual? The government? GDPR removes the ambiguity.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba