GDPR Will Cost You
All businesses that collect and store personal data of EU-based citizens are required to be compliant with General Data Privacy Regulation (GDPR) in just one month, on May 25. If they aren't, they risk a fine of up to €20 million ($24 million) or 4% of their annual revenue, whichever is greater. Satisfying the compliance requirements will cost businesses, but that will be far cheaper than the price of not complying. Move fast or expect to be fined. The fines may bankrupt the non-compliant business.
As I explained in an earlier No Jitter post, GDPR is a set of regulations the EU passed in 2016 to protect EU citizens' identity rights and reduce identity theft. GDPR applies to any business operating in the EU, or any business that collects, stores, and distributes data on an EU citizen no matter where the business is located. Businesses must securely store and protect all sensitive, personal information relating to EU citizens according to the law's requirements.
The GDPR Survey
To understand the importance of GDPR for U.S. businesses, Web security firm Netsparker conducted a survey of 302 U.S. chief executives. The goal was to gain insight into how non-EU businesses are complying with GDPR, how they're planning to conform to the regulations, how much effort is needed, and how much compliance will cost.
Almost half (48.7%) of Netsparker respondents said their companies have completed more than 75% of the required work. Optimistically, 71.2% of respondents anticipate they'll be compliant before the May 25 deadline. Another 26.5% think they're on the right track and expect to be ready by the deadline. A surprising 2.3% of those that have started don't expect to be ready by May 25, and few -- 1% -- haven't started at all.
Are You Prepared for GDPR Compliance?
The effort in the U.S. around GDPR has been focused on gathering, using, and in most cases protecting the data on citizens. Citizens can opt out of many data collection processes, but I know brokers that I don't know about collect and sell my data. I don't own my data. In the EU, the data collector is privileged to collect and use the data as a custodian, not as an owner like it is in the U.S.
In the Netsparker survey, 62.9% of respondents reported that their staffs know enough about GDPR so are undertaking the compliance efforts in house. Some are using third-party service organizations (27.8%) to assist with achieving compliance. A surprising number, 8.9%, reported they have not located enough information -- but there are plenty of articles, vendor marketing and promotions, and Websites covering GDPR, so I have to wonder where they've looked.
What Will GDPR Compliance Cost?
How much GDPR compliance costs a business depends on company size, as mostly related to the number of employees. The larger the business, the more it will spend on GDPR compliance. The distribution of costs is shown in the table below.
The staffs in the U.S. have to change their mindsets, possibly procuring and using new tools, as well as the tools they already have. They'll need some training as well. Although businesses anticipate that they'll be compliant, some are sure to run afoul of the regulations. Those that believe they comply will have to have their staffs or third-party service organization regularly revisit their compliance efforts to ensure they still comply.
Auditing GDPR Compliance
For compliance auditing, I expect some consulting and service organizations will perform GDPR compliance audits, another addition to the compliance budget. Whenever there is litigation and a judgement relating to GDPR enforcement, businesses will rush to revisit their GDPR compliance efforts.
I'd also expact a periodic review to insure a business is still compliant. And, as with any regulation, there'll be changes to improve them, which stimulates more audits. The GDPR compliance efforts will not finish on May 25. They will continue, and so will the expenses.