The General Data Protection Regulation is going to be enforced soon on May 25, 2018. One thing that institutions are realizing is the cost of complying with the GDPR. A current research study by a legal tech firm, Axiom, stated that Fortune 500 and FTSE 100 firms might need to expend approximately £800 million to evaluate contracts and validate their compliance with the GDPR. Not all firms is going to spend so much but the fact of the matter is money will likely be spent to ensure that companies carry out the necessary adjustments that will enable them to operate without breaking the GDPR.
Two of the key areas which are very likely to dictate the total cost of efforts related to GDPR compliance are their existing data processes and the nature and range of data they handle. Understandably, the most important cost associated with GDPR compliance is the cost of audit and data classification. Audit is the initial and extremely important part of compliance since it brings about the identification of data types which are kept and processed by a firm. In this particular step, risks should be identified and resolved prior to implementation of any new procedures. There has to be a way to facilitate data to group together individual data. How consent is acquired for every piece of personal data must be assessed also.
After the audit, any information that is incorrect must either be corrected or removed. Action should be taken to put proper technical and organizational procedures into place to decrease or minimize the recognized risks. By grouping data subjects as carried out in the last step, it is much easier to access data to satisfy the request of people to get copies of their personal data or to have their data removed, which is what the “right to be forgotten” means. Acquiring consent for data processing, which was also carried out in the earlier step, should be re-checked to ensure compliance with the GDPR; if there are any data that doesn’t come with consent, it ought to be requested again prior to storing or processing the data.
There will undoubtedly be a considerable number of hours expended on finishing the audit, writing the procedures, training personnel, and validating information, even for firms that just hold lesser amounts of data. Furthermore, organizations employing more than 250 people or staff shall be required to employ or train a Data Protection Officer, in case such a position is not yet existing in the company. It must not be forgotten that employees are also safeguarded by the GDPR, so any employee personal data and contracts ought to be evaluated by HR.
When complying to all the demands of the GDPR is expensive, consider that non-compliance is going to be a lot more costly. Penalties have been okayed in enforcing the GDPR and the max financial fine is €20 million or 4% of global yearly turnover, whichever is greater. Additionally, financial sanctions can also be enforced on the violating organization causing image and reputational harm of organizations that don’t do the required measures to protect the data of data subjects.
Compliance with the GDPR should be regarded as a cost of conducting business. It is a legal challenge that needs to be overcome by businesses that handle the personal data of people located in the EU. Companies that are not able to make required steps to guarantee compliance, or which only carry out superficial adjustments, are at risk of serious monetary and reputational costs.