Now there is a good question. Many people ask us how much does data protection compliance (or more specifically GDPR compliance or POPIA compliance) cost. I’m afraid there is no simple answer but I can give you some guidance to try to help you get an idea of what it will cost your specific organisation. The answer is different for different organisations.
“If you think compliance is expensive, try non-compliance.” Former U.S. Deputy Attorney General Paul McNulty
What are the key factors?
- What impact does data protection law have on your organisation? Low, medium or high?
- What action does your specific organisation need to take to close the gap?
- What data protection laws must you comply with? GDPR or just a local law like POPIA?
- The size of your organisation? Small, medium or large?
- What you define data protection compliance (like GDPR compliance) to be? Just the obligations or principles as well?
- Do you want to comply yourself, with guidance or do you want someone to do it for you?
How much does data protection compliance cost if someone does it for me?
This is the most expensive option, especially if you’re a large organisation with a high impact and you’re aiming for absolute compliance. How expensive you ask. According to various sources (like this FT article called Information wars: How Europe became the world’s data police), it appears that the listed companies have each on average spent about US$15m each. Certainly, many of our clients who are large listed companies that process lots of personal data have spent that much or more. Remember though that this is not only on legal fees. If you’re interested, we can give you an indication of what we believe your legal fees could be. There are many things that make up this cost. The costs can include:
- the hours spent by your existing workforce,
- hiring new internal resources, and
- buying solutions from vendors.
Data-driven companies like Google and Facebook whose business model is about personal data will have spent much more than US$15m each. But they are at the high end.
The cost will drop for your organisation depending on the factors we’ve mentioned above. Generally speaking, the more you want your activities to comply with the principles for lawful processing, the greater the cost.
There is a shortage of skilled experienced data protection professionals who can do it for you and therefore the more you want someone to do it for you, the greater the cost. There is also an argument that you cannot get someone else to comply for you because data protection is like personal fitness – you can’t get someone else to do the running for you.
Whichever way you look at it, the cost will be high if you want someone to do it all for you
How can I reduce the cost of compliance?
Now there is an even better question. You can’t change many of the factors that play a role. For example, you can’t change the impact, your organisation’s gap or what you must comply with. If you’re not sure about these things, do this complimentary high-level data protection assessment on your organisation (about 4 minutes) and then we will give you answers.
You can change your organisation’s activities but this is hard. For example, you could decide to:
- stop offering a product that involves processing the personal data of children,
- close all your offices in the EU or stop targeting people in the EU,
- delete half of the personal data you hold, or
- change your business model.
To an extent, you can change how you comply (your compliance strategy) by for example following a risk-based approach, which might reduce the cost of compliance.
The factor that you can control the most (and which therefore can help you to reduce the cost of compliance) is the way you comply. Do you want to:
- comply yourself,
- with guidance, or
- do you want someone to do it for you?
Rather than get someone to do it for you, you can try to do it all yourself but this is very hard. Unless you have people within your organisation with good knowledge and experience, you may well end up spending more in the long run and finding out the cost of non-compliance. Often internal resources are already stretched and have a million other things to do.
We think that doing it with an experienced data protection professional (option 2) is the best way to reduce the costs of compliance. You should try to do as much as possible yourself with expert guidance and assistance. This is why we created the Michalsons data protection programme.