The costs of compliance can be broadly separated into three categories: establishing compliance, operational compliance, and risk management.
Establish Compliance
Finding a Person
Someone has to handle the GDPR tasks. That may be you or someone else. You or an internal employee would need to spend quite some time understanding GDPR compliance at a basic level. It is similar to other compliance and certification schemes. You may be an expert in the domains, yet spend quite some time going through the specific documents that need to be set up.
It is often cheaper to hire an external consultant rather than develop in-depth expertise in-house. Most small and medium companies need a few days of a GDPR specialist to establish compliance and a few hours per year to maintain it. An in-house, home-trained specialist would spend much more time learning the skill and would continuously require time to maintain it.
Building Inventory of Processing Activities
The costs are determined by the diversity of the personal data processing activities that your company conducts. You need to discover all activities (parts of computer systems or manual processes) that involve personal data and create an inventory. This inventory is called 'Records of Personal Data Processing Activities' and most companies need to maintain one.
The amount and the granularity level of these activities vary. Here are some indicators:
- Simple website: 3-5 activities (operating the website, backups and security, cookies, third-party components).
- Marketing: 3-5 (client or prospect database, mailing list, a specific campaign or two)
- Sales: 1-3 (process orders, order delivery or execution, returns)
- Customer support: 1-2 (support database, intake of requests)
- HR and employment: 1-5 (HR files, hiring, firing, promotion, payroll). They are often combined and (partially) outsourced.
- Business processes: varies, 1 per each automated flow that you operate
A small company employing a few would typically need to register 10-20 processing activities. A larger company would need a bit more. When choosing your PrivacyDocs subscription, you can start with the cheapest 'small business' plan, which is suitable for most smaller and medium companies. You would probably stay within its limits for the first year of your GDPR work and can upgrade to the bigger 'medium business' plan as needed.
Costs of Each Record of Processing Activities
Each processing activity needs a record in the Records of Personal Data Processing Activities. It costs the following:
- 1 hour to discover a processing activity (think of talking to your IT or marketing team to understand what is actually going on)
- 4 hours to make the initial write-up (think of a 1-hour interview with you, someone who knows the processing, and someone who is responsible for the processing) and 1 hour to set it up and write it up
- 1-4 hours for follow-ups (finding missing details, relevant contracts, notices shown to the data subjects, etc.)
Think of two activities per day, as for small companies some of these processes may go faster than for larger companies.
Costs of Assessments
When building the inventory, you may realize that an activity needs additional assessment: Data Protection Impact Assessment (DPIA) for riskier operations, Legitimate Interest Assessment (LIA) for activities that rely on your legitimate interest as a company, and Transfer Impact Assessment (TIA) if you use systems operated by non-EU vendors (and a few countries that provide adequate protection)
These are sizeable documents and may require 1 to 5 days to complete.
Operational Compliance
Operational GDPR compliance requires smaller effort, especially for companies that do not change much.
Update the Records of Processing Activities
According to the GDPR, the records need to be updated prior to any change in the processing and periodically. Annual review is often sufficient for processes that are not expected to change (such as most administrative processes).
1-3 person-hours are often sufficient per processing. You may expect to actually talk and get additional details on the first review, and just send the annual 'is it still the same?' emails in the following years.
Register Breaches
When people make mistakes or your systems get hacked, you need to register personal data breaches in an internal registry (part of the PrivacyDocs suite). Each breach registration involves three parts:
- Registration (1 hour of a privacy expert and 1 hour of a domain expert)
- Risk assessment (1 hour of a privacy expert and 1 hour of a domain expert)
- Proposed mitigation measures (varies)
- Report to the data protection authority and individuals if the breach is of a higher risk that is not contained (4-20 hours).
Most breaches (such as typing a wrong email recipient) require less than 4 hours to document.
Respond to Data Subject Requests
Data subject requests (such as requests for information stored about a certain individual or requests to be forgotten) are often fulfilled by the data protection specialist, mediated by the Legal department. Costs of response vary with a minimum of 1 hour.
Manage Risks
The risk assessments may highlight the risks that need to be mitigated by changing the processes or updating documentation. The associated costs of managing risks and risk mitigation may be the biggest. Some companies rely on computing systems or business processes that are not compliant and require significant changes to become compliant.
In practice, risk management is not expensive for most companies that do not rely on personal data processing as the core of their business.
Get Help
Invoking a professional service, such as the PrivacyDocs GDPR consultancy service, is often the most cost-effective way to achieve and maintain GDPR compliance. It is important to focus and steer your consultants on the GDPR compliance aspects that you really must have. There are many aspects that are nice to have but that form acceptable non-compliance risks if they are missing.