New privacy regulations have been in vogue recently. The increasing number of high-profile and high-impact data breaches has made data privacy a focus of consumers and regulators alike. The EU’s General Data Protection Regulation (GDPR) is probably the most famous of these.
The GDPR takes significant steps to improve the data privacy landscape and, due to the size of the protected population, has an impressive scope. As a result, organizations all over the world have been spending significantly in recent years in order to achieve GDPR compliance.
What is the GDPR?
The European Union’s General Data Protection Regulation (GDPR) is a piece of legislation that came into effect on May 25, 2018. It is designed to protect the privacy of EU citizens from misuse or breach of personal data collected by companies or other organizations.
The GDPR is significant because it expanded the definition of Personally Identifiable Information (PII) that must be protected and significantly increased the penalties associated with failing to do so. Under the new legislation, protected personal information includes anything that can be used to uniquely identify an individual, including email addresses, IP addresses, and phone numbers.
Failing to appropriately protect this data can result in fines of up to 20 million Euros or 4% of an organization’s global turnover per breach. Even if sensitive data is not breached, failing to comply with the requirements (like not keeping the appropriate records) can result in fines up to 2% of global turnover. As a result, organizations are well-motivated to become GDPR compliant, despite the cost of doing so.
The GDPR price tag
The cost to an organization for achieving GDPR compliance can be significant. In fact, 10% of surveyed C-level executives expect that GDPR will cost them over $1 million to achieve compliance. However, this price tag is mainly for large organizations. 80% of micro-organizations (1-9 employees) expect to keep their costs under $50,000, and the majority of enterprises (1000+ employees) expect to exceed that $50,000 price tag.
An interesting fact about the costs of the GDPR is that they’re not just limited to companies headquartered within the EU. The new legislation applies to any organization that regularly processes the personal information of EU citizens. The global nature of the Internet means that many organizations operating outside of the EU must pay the price of GDPR or give up the entire European Union as a potential customer base.
Why GDPR is so expensive
The GDPR is an expensive regulation for many businesses since it directly contradicts their standard business practices. Data has become an extremely valuable commodity, and some organizations’ revenue models are based, wholly or in part, upon collecting and selling their customers’ personal data to other interested parties. While this may be technically possible under GDPR, the new legislation’s requirements force businesses to be more transparent about their actions and intentions, increasing the probability that their customers will deny them permission to do so.
GDPR defines a variety of roles and responsibilities for affected organizations. However, some of the requirements have a greater effect on the cost of complying with GDPR
Protection of personal data
The GDPR is primarily designed to protect the personal data of EU citizens. As part of this, the GDPR clearly defines the type of data that must be protected under the regulation. This includes:
- Identity information (name, address, etc.)
- Internet data (IP address, email address, geolocation, etc.)
- Health data
- Biometric data
- Race and ethnicity
- Political preferences
- Sexual orientation
Any of the data in these categories can be helpful in trying to uniquely identify an individual. This is some of the most valuable data for resale (i.e. for targeted advertising) and is also what GDPR is explicitly designed to protect. Under the new regulation, organizations need to discover all such data within their organization and take (potentially expensive) steps to appropriately protect it.
Explicit Consent
One of the ways that GDPR changes how companies must operate with regard to personal data is requiring that customers have the option to opt-in rather than opt-out of data collection and processing. Some organizations design their systems to force customers to consent to this by default and make opting-out extremely difficult. Under the new regulation, organizations must gain explicit consent for data collection and processing, and the privacy policy must be written clearly (not in legalese designed to confuse and mislead). As a result, organizations need to perform a comprehensive audit of how data is and will be used within their organization and modify their policies accordingly, which adds to the GDPR price tag.
Breach reporting
Data breaches occur on a regular basis, causing embarrassment and financial harm to the affected organizations. As a result, some organizations have attempted to conceal a breach to avoid scrutiny and penalties (Uber is a famous example of this). Under GDPR, any breach that falls under the regulation’s oversight must be reported within 72 hours of discovery or risk penalties. Modifications to infrastructure, policies, and procedures to accomplish this are another component of the cost of GDPR.
The Impact of GDPR
The General Data Privacy Regulation was the first of several pieces of legislation designed to improve the privacy of consumer data. The cost of GDPR is significant to many organizations due to the changes in how they must collect and process consumer data. However, the long-term impact of achieving GDPR compliance is likely favorable to consumers and individuals alike due to the probable decrease in data breaches and the costs associated with all parties.
Photograph by Dayne Topkin / Unsplash