The Road to GDPR Compliancy, a Cost Analysis of the Belgian Business Landscape
Within 1 week, on the 25th of May 2018, the new General Data Protection Regulation (GDPR) will turn into action. From that moment on, all companies dealing with personal data of EU citizens will have to demonstrate either its compliancy with GDPR or at least a significant effort and clear roadmap to become compliant, showing legal assumptions and documenting decisions taken. Non-compliancy might result in monetary fines, but more importantly there are strong reputational risks which might lead to a decrease of customer confidence.
The new requirements, imposed by GDPR, are most likely to result in a significant compliancy budget for an organization. To give them a better view on the compliancy costs, Sia Partners has developed a financial model to calculate the average compliancy project cost for Belgian firms with more than 50 FTE’s, taking into account several parameters such as: the sector, the customer base, the number and types of personal data processed, etc.
In this article Sia Partners first gives a high-level overview of the topics on which companies will incur the highest costs during their GDPR compliancy project. Secondly, this article summarizes the average project implementation cost for the most impacted sectors in Belgium based on Sia Partners’ model.
Main cost drivers during a GDPR implementation project
Sia Partners has assisted dozens of organizations in the implemenentation of their GDPR compliancy projects. Most of the incurred costs can be allocated to four types of measures to be implemented: the first topic is related to fullfilling the new data subject rights; the second to manage data subject consent; the third to put in place the gouvernance model; the last to implement satisfactory IT security measures.
New data subject rights
To fullfill the new rights for data subjects discussed below, most organizations will have to redesign their business processes. A large majority of organizations develop a fully automated client portal where the data subject can have acces to its personal data and make the necessary changes or extracts. Other organizations focus on partially automated or manual solutions. Both options represent significant costs for organizations. The magnitude of those depends on the number of employees involved by the changes and on IT solutions cost.
Right to access implies that a data subject has the right to request a company whether or not his/her personal data is being processed, and to ask for access to those personal data (e.g. under the form of a pdf extract).
Right of data portability implies that a data subject has the right to demand that their personal data is exported to them or to another provider in a machine-readable format (XML, excel file …).
Right to rectify gives individuals the right to have personal data rectified in case it is inaccurate or incomplete (e.g. spelling error in name).
Right to be forgotten makes sure that an individual has the right to request erasure of his personal data when there is no compelling reason for its continued processing.
GDPR highlights other rights, yet the ones above impact more structurally organizations’ processes.
Under GDPR rules for data subject consent are more strict. A company needs to assess the legal ground of each data processing. The processing of personal data can be necessary to perform a contract, but it can also be based on legitimate interest or consent, which can be the case for marketing purposes. In the case that a processing is based on consent, an organization has to capture the specific consent of each concerned data subject and has to make sure this consent is stored and retrievable. Next to that, a process should be put in place for the data subject to withdraw his consent with the same ease as the consent was given. When a data subject has withdrawn consent, his personal data cannot be used anymore for this processing.
Most of the costs occur from implementing a system or a process that allows to efficiently store and withdraw the consent. Moreover, there is a significant workload to ensure that the processing is halted when a data subject has withdrawn consent.
GDPR imposes a list of new measures that should be implemented by a company, among which the ones presented below. There is a high workload associated with the implementation of these policies or with the review and update of the existing policies to the new standards.
Data Protection Officer (DPO): An organization has to assign a DPO as the single point of contact for all privacy related matters. In case no internal profile corresponds to the skills needed as DPO, the organization might decide to hire one or more qualified employee. Some organizations decide to externalize this function.
A code of conduct needs to specify how internal and external employees have to threat personal data.
Data register: Each personal data controller needs to maintain a record of processing activities under its responsibility. It should be accurate and should reflect the actual state of processings.
Data privacy assessments: Every company has to conduct several assessments to identify and mitigate processings representing a high risk for data subjects.
Important costs of GDPR implementation projects are related to IT security, especially in organizations with a rigid IT infrastructure and a less mature orientation toward the protection of the information system architecture. GDPR imposes to consider additional security measures that should be in place such as implementing safer data transfer methods, reviewing IT application access rights and data storage.
Data security: Every company will have to review its data transfers, access to IT systems and data storage rules
Data breach management: a process will have to manage and notify a data breach. The DPO has to report within 72 hours the data breach to the regulator.
Estimated GDPR costs for Belgian organizations
In order to give companies an idea on the budget that will be required to become compliant Sia Partners developed a model that articulates main costs drivers and that computes the average cost. This model takes into account several parameters such as: orientation (B2B or B2C), types and quantity of personal data, IT complexity, international reach...
A closer look on the most impacted sectors in Belgium
The total sector cost of implementation is the highest for the Retail, Financial Services and Information & Communication sectors with numbers ranging between €110 and €180 million. This is directly linked to the specific characteristics of each sector. For Retail the high cost is mainly driven by the very high number of companies, mainly smaller organizations. For Financial Services and Information & Communication the main drivers are the large quantities of personal data, including sensitive data, and typically complex IT architectures.
Figure 1 : Cost per sector in belgium
Average cost per type of organization
Next to the estimation of the total sector costs, the model allows to analyze the average project cost for each organization in each of the sectors. We have modelled the average project cost for organizations with more than 250 FTE’s and companies with 50-250 FTE’s.
As shown in Figure 2, a GDPR compliancy project is significantly more expensive for larger organizations than smaller. On average, a GDPR compliancy project will cost € 0,17 million for companies between 50 and 250 FTE’s, whilst this increases to €1,42 million for companies with more than 250 FTE’s. It is hardly surprising that budgets increase with the number of FTE’s of an organization, however we see that the average GDPR implementation cost per FTE is lower for larger companies. We see that organizations with more than 250 FTE’s have an average cost of €882 per employee, whilst this rises with more than 50%, to €1,361 for smaller organizations. This can be explained by the fact that certain fixed costs can be spread across a larger number of employees.
Figure 2 Average project cost and cost/fte for both company sizes
A detailed look on the impact per sector
When we look at the average cost of a project in the different sectors, there are remarkable differences between industries. Figure 3 represents the average project cost per sector for firms with 50-250 FTE’s. The Financial Services, Information & Communication and Energy sector have the highest average project cost for implementing GDPR (± 0.6 – 0.65 million). The average cost for the other sectors is below € 0.1 million per project. The high compliancy costs for the Financial Services, Information & Communication and Energy sector can be attributed to the industry specificities such as the wide range of customers, wide product range, large volumes of sensitive data and complex IT architectures.
Figure 3: Average project cost per sector for firms 50 – 250 FTE’s
In figure 4 the average project cost for firms with more than 250 FTE’s is shown. In this segment, the Energy, Financial services and telco sectors have the highest implementation cost per project. The average cost a project in these sectors is ± € 6 million. Other sectors have implementation costs ranging between € 0.2 and € 3 million. The explanation can lie in the fact that these sectors are processing a larger amount of personal data. This is due to the fact that those companies are in direct contact with their B2C customers for most of their business processes, for different types of purposes and that the industry mainly exists out of larger players.
Figure 4: Average project cost per sector for firms > 250 FTE’s
The results show that the cost of a compliancy project rises with the number of employees in a company, however the cost/FTE decreases. It is also noticed that project costs are heavily influenced by the sector in which the company is operating. Next to that, implementation costs are significantly influenced by different cost drivers as described above and are subject to the compliancy level to be achieved.
Sia Partners’ model shows that average project costs for smaller companies (50-250 FTE’s) range from around € 2 million for companies that handle sensitive and large quantities of data such as the Energy and Financial Services, to projects of maximum € 0.5 million for the other merchant sectors. In the larger companies (>250 FTE’s), average projects costs increase to € 10 million for Energy, Financial Services and the Retail sectors.
No matter the industry, these budgets represent significant investments for organizations. However, a potential fine of 4% of the revenues would also represent a multiple of the implementation cost.