Money

The Opportunity Costs of GDPR Compliance (and How to Drive Costs Down)

Jingcong Zhao Hyperproof, Research

Achieving GDPR compliance is an expensive and time-consuming endeavor. DataGrail, a privacy management platform, recently released some stunning figures on how much it all costs.  They estimate that the average company spent 2100 hours in meetings alone to plan for GDPR. 

Earlier this year, DataGrail surveyed over 300 privacy decision makers to understand the costs of complying with GDPR as well as organizations’ plans to keep up with emerging privacy regulations such as the California Consumer Privacy Act (CCPA). The results painted a clear picture: the vast majority of organizations are trying to solve data privacy compliance with money and people. Only the early adopters are using technology to improve the management of compliance regulations. DataGrail pointed out that by focusing on human resources instead of technology, companies may be challenged to sustain compliance over the long run.

In this blog post, we’ll share some of the key findings from the survey and DataGrail’s recommendations for sustaining compliance. We’ll also provide our own take on how organizations can sustain compliance with GDPR over time and with upcoming privacy regulations while keeping costs down.     

Key Findings: DataGrail’s Report “The Age of Privacy: The Cost of Continuous Compliance” 

Here are a few findings that highlight the upfront costs companies incur to become GDPR-compliant.  

  • The road to GDPR compliance is full of challenges: Top challenges include making sense of the requirements, charting a course to compliance, managing workflows across multiple systems, and the lack of time and people to plan, manage, and execute the program.  
  • Six figure spending is typical: Benchmarking the financial cost of compliance as a baseline, 74% of companies spent more than $100,000 on compliance consulting services and technology solutions, and 20% spent more than a million. 
  • Indirect, opportunity costs are enormous: Two-thirds of organizations had 25 or more employees involved in managing GDPR, and 80% of organizations met at least a few times a month. DataGrail conservatively estimated that the average company spent 2100 hours in meetings alone. 
  • Technology is not widely adapted: Half of all surveyed professionals still use manual processes to identify the location of personal data and to manage Data Subject Requests (DSRs) — a time consuming endeavor. 

Here are a few findings that illustrate the ongoing challenges and costs.   

  • DSRs is a top challenge for ongoing GDPR compliance: DSRs take a lot of time and effort to service. More than half (58%) of companies are receiving 11+ DSRs per month, and more than half of the surveyed companies have at least 26 employees managing these requests. 
  • Privacy employees will be more in demand: 9 out of 10 companies plan to hire at least three people to manage privacy regulations in the next two years. 
  • Lack of confidence in ongoing compliance: Despite ongoing investments to stay compliant with privacy regulations, organizations lack confidence that their systems are keeping up. In fact, 70% of respondents agree that the systems they put in place (or will be putting in place) will not scale as new regulations emerge.  

Organizations’ Plans for CCPA  

DataGrail surveyed respondents on the tactics they used to plan for GDPR and CCPA. Compared to GDPR preparation tactics, companies preparing for CCPA are focused on employee training (61% of respondents selected this tactic) and new policy creation (53% of respondents selected this tactic) more so than implementing technology (49% of respondents). 

Based on these findings, DataGrail concluded that “by focusing on human resources instead of technology, companies may be challenged to sustain compliance over the long run, and to continually support new emerging regulations, despite a large upfront investment in time and effort.”   

DataGrail asserted that the path to sustained compliance will require smart processes and technology, including identifying systems that hold regulated data, putting practices in place to update those systems when new information is added, using technology to handle data privacy requests, and above all else, “solutions that will support new privacy regulations as they emerge and the associated complexities of dealing with multiple regulations.”

 
How Organizations Can Sustain Compliance Over the Long Run  

We agree with DataGrail that technology is a critical element to achieving continuous compliance. Technology isn’t just useful for automating routine work (such as managing DSRs)  and reducing human error; it’s also critical for bending down the cost curve as organizations figure out how to comply with multiple new privacy regulations. 

Here are some ways Hyperproof’s own compliance management solution can help organizations scale up their compliance programs to meet multiple regulations: 

  • We can help your organization chart the course to becoming GDPR or CCPA compliant. Use Hyperproof’s starter frameworks and controls to stand up a new program in minutes.  
  • We will notify you whenever a regulation or industry standard changes and tell you what you need to do to stay in compliance. 
  • We provide the single source of truth for your programs. When you have everything — programs, controls and evidence — in one place, you can identify common controls that meet multiple standards/requirements and manage a smaller set of controls to achieve compliance with multiple regulations faster.  
  • We’ve built integrations with many business productivity tools and business applications so you can automate the evidence collection process and keep evidence up to date. 
  • You can tag evidence and re-use evidence across multiple frameworks and controls 

All this helps to lower the cost of compliance and reduce human error in processes. 

Talk to Hyperproof

If you’d like to learn more about how we help organizations bend the cost curve of compliance, we’d love to talk to you