Now there is a good question. Many people ask us how much does data protection compliance (or more specifically GDPR compliance or POPIA compliance) cost. I’m afraid there is no simple answer but I can give you some guidance to try to help you get an idea of what it will cost your specific organisation. The answer is different for different organisations.

“If you think compliance is expensive, try non-compliance.” Former U.S. Deputy Attorney General Paul McNulty

What are the key factors?

  1. What impact does data protection law have on your organisation? Low, medium or high?
  2. How big is the gap? What action does your specific organisation need to take to close the gap?
  3. What data protection laws must you comply with? GDPR or just a local law like POPIA?
  4. The size of your organisation? Small, medium or large?
  5. What you define data protection compliance (like GDPR compliance) to be? Just the obligations or principles as well?
  6. Do you want to comply yourself with guidance or do you want someone to do it for you?

How much does data protection compliance cost if someone does most of it for me?

This is the most expensive option, especially if you’re a large organisation with a high impact and you’re aiming for absolute compliance. How expensive you ask. According to various sources (like this FT article called Information wars: How Europe became the world’s data police), it appears that the listed companies have each on average spent about US$15m each. Certainly, some of our clients who are large listed companies that process lots of personal data have spent that much. But those on whom the impact is lower will spend much less. Remember though that this is not only on legal fees.

There are many things that make up this cost.

  • The hours spent by your existing workforce
  • Hiring new internal resources
  • The costs of joining a programme
  • Buying privacy management software
  • The hours spent by external consultants
  • Buying solutions from vendors

Data-driven companies like Google and Facebook whose business model is about personal data will have spent much more than US$15m each. But they are at the high end.

The cost will drop for your organisation depending on the factors we’ve mentioned above. Generally speaking, the more you want your activities to comply with the principles for lawful processing, the greater the cost.

There is a shortage of skilled experienced data protection professionals who can do it for you and therefore the more you want someone to do it for you, the greater the cost. There is also an argument that you cannot get someone else to comply for you because data protection is like personal fitness – you can’t get someone else to do the running for you.

Whichever way you look at it, the cost will be high if you want someone to do most of it for you

How can I reduce the cost of compliance?

Now there is an even better question. You can’t change many of the factors that play a role. For example, you can’t change the impact, your organisation’s gap or what you must comply with. If you’re not sure about these things, do this complimentary impact assessment on your organisation (about 4 minutes) and then we will give you answers.

You can change your organisation’s activities but this is hard. For example, you could decide to:

  • stop offering a product that involves processing the personal data of children,
  • close all your offices in the EU or stop targeting people in the EU,
  • delete half of the personal data you hold, or
  • change your business model.

To an extent, you can change how you comply (your compliance strategy) by for example following a risk-based approach, which might reduce the cost of compliance.

Who is going to do the work?

The factor that you can control the most (and which therefore can help you to reduce the cost of compliance) is the way you comply. Do you want:

  1. to comply yourself with guidance, or
  2. someone to do it for you?

Rather than get someone to do it for you, you can try to do it all yourself but this is very hard. Unless you have people within your organisation with good knowledge and experience, you may well end up spending more in the long run and finding out the cost of non-compliance. Often internal resources are already stretched and have a million other things to do.

We think that a combination of these options 1 and 2 is the best way to reduce the costs of compliance. You should try to do as much as possible yourself with expert guidance and then ask an external specialist to help you with certain things. This is why we created the Michalsons data protection programme and you can consult with us as a specialist.

By joining our programme you should be able to halve what you pay to external consultants.

The financial benefits of data privacy compliance

A recent global study by Cisco involving 2800 organisations across 13 countries has demonstrated the financial benefits available to those who decide to invest in strong data privacy practices. The cost of compliance can be high but, with strong returns available to those who do invest, it is well worth it.  There are competitive and operational advantages, several benefits for companies with higher accountability scores, and data privacy compliance is being seen as a buying factor in terms of third party vendors.

Most importantly, the benefits are calculated, on average, to be 2.7 times an organisation’s investment in data privacy compliance. The return on investing in data privacy compliance is clearly well worth it and means that data privacy compliance needs to be budgeted accordingly.Â