The new European regulation on personal data protection is one of the major challenges for 2018 for many enterprises, and the bad news is that compliance programs are synonymous with costs. Nevertheless, there's no reason to panic! The costs associated with GDPR are not necessarily as large as you might imagine. Moreover, some of these costs can turn out to be valuable investments to drive your productivity. Here is an overview of the budget you can expect to allocate to ensure compliance with the GDPR.
Costs relating to raising awareness of GDPR; what kind of budget?
You should consider, in the first instance, the costs relating to the training of your staff. This is because the GDPR is not a clearly defined challenge in everyone's mind. You need to evangelize to your teams, particularly departmental managers, who can then convey the right message.
To get off to a good start, plan training sessions for all senior managers. Expect to pay around $2,250 per person for two days for this part of the training. You should then allocate internal man days to prepare communications platforms and organize meetings to raise awareness, etc. Also set aside time to select your future Data Protection Officer (DPO) and an individual who acts as Data Processor.
Costs related to preliminary GDPR analysis: what kind of budget?
Now that you and the rest of your business are in full agreement on the topic of GDPR, and your DPO has been appointed, you can star auditing your first system. To do so, if you have not yet done so, choose your IT service provider.
Obviously, the costs will be linked to the size of your business, the volume of data stored in the selected system (CRM, ERP, e-mail, etc.) and the complexity of its architecture. To give you an idea of the order of magnitude, you can expect to allocate three to ten project management man days at $875-$1,125 per day for each system, so around $5,000 in total.
Following these audits, you will need to carry out an impact analysis for your data. There are two options for these impact analyses: either you can go it alone, or you can benefit from the support of a law firm. Obviously, we recommend the second solution for its reliability. You should therefore expect to pay around €200/hour (knowing that it will take around a working day to complete a review if a subcontract, for instance).
For corrective costs relating to achieving GDPR compliance: what kind of budget should you assign?
The costs of corrective measures that you will then need to take, and your audits and impact analyses, are much more difficult to estimate because it truly is on a case-by-case basis. Moreover, implementing these corrective measures may involve your IT service provider, your law firm, and of course, your internal teams.
In an attempt to shed some light on the matter, expect to pay:
Per day for a project manager from an IT service provider $875-$1,125
Per day for a developer from an IT service provider $750-$1,000
Per hour of legal advice $250
In addition to the costs throughout this article, don't forget to assign a long term GDPR compliance budget. This will enable you to anticipate documentation updates, new corrective measures, etc., and to manage them with confidence.