Blog
GDPR
How Much does GDPR Compliance Cost?

How Much does GDPR Compliance Cost?

How much does GDPR compliance cost?

Updated
December 14, 2023
Posted
September 25, 2018
GDPR
How Much does GDPR Compliance Cost?

How Much does GDPR Compliance Cost?

Ernst & Young, a global professional services firm, reported that the world’s 500 biggest corporations are on track to spend a combined total of $7.8 billion to comply with GDPR. That’s a significant impact on the industry overall, but what about individual businesses? One of the most common questions we get is, “How much will GDPR cost me?”

Check out GDPR Defense for small businesses.

The answer is more complicated than a basic dollar amount. There are many factors that will scale the cost of your GDPR implementation–for example, the size of your organization or the types and volume of personal data your organization handles. There are also different steps and phases in the GDPR compliance process and each comes with its own unique costs and time requirements—from the data discovery process, to customer GDPR privacy notifications, to training employees.

See also: GDPR 101 Webinar

Factors that will drive compliance costs

The most relevant question you should ask is: Does your organization process personal data of EU persons? If not, then GDPR does not apply to you. If you do, you should read through the following factors to better understand what might be required of you:

  1. Is your organization a data controller or a data processor? While both parties are responsible for protecting personal data, certain requirements apply to controllers or processors only.
  2. What are your risks? If risks related to securing personal data have not been mitigated, additional controls may need to be implemented.
  3. What categories of personal data does your entity handle? How many different teams, lines of business, or processes handle personal data? The greater the number, the higher the costs. A data mapping exercise must be completed to inventory all personal data processed by your organization. We can help with this.
  4. How many distinct repositories are used to store personal data?
  5. How many organizations does your entity share data with? Have you implemented processes to monitor vendor compliance?
  6. Does your organization transfer personal data to organizations in non-EU countries? If so, you will need to verify that contracts with international organizations enforce GDPR requirements for the protection of personal data.
  7. Does your company retain personal data indefinitely? To reduce burden of compliance, data should be retained for the least amount of time needed.
  8. Have processes been implemented to manage the data lifecycle? This includes processes for accessing, correcting, updating, transferring, restricting, removing, and retaining personal data.
  9. Do your contracts with clients and vendors address GDPR requirements? Legal review of contracts will be needed to verify whether a Data Protection Addendum must be drafted and signed by clients and vendors.
  10. Do you process children's personal data? If yes, additional requirements will apply.
  11. Have you tested your security controls implemented to secure personal data? Use trusted penetration testers and vulnerability scan vendors to help with this.
  12. Has your organization assigned someone to oversee privacy? Depending on how your organization processes personal data, a Data Protection Officer (DPO) will need to be appointed.

See also: GDPR 101 Part 1

After answering these questions, start a GDPR gap assessment to identify areas for improvement and help your organization develop a roadmap to achieve compliance.

The relative costs of GDPR compliance, step by step

Depending on the factors mentioned above, your roadmap to GDPR compliance will include some or all of the steps below. And, the true cost to comply will depend on how and at what scale each step is completed.

1. Assign a Data Protection Officer

Chances are, you‘re not required by law to formally appoint a DPO to oversee GDPR compliance. However, it’s a good idea to assign an internal employee or team of employees to be in charge of GDPR efforts. If you are required to appoint a DPO, you might assign an individual within your company ($) or hire a third party to fulfill this duty ($$$).

2. Record of Processing Activities (Inventory)

This mandatory step is an important one. You must map the flow of protected data into, out of, and within your organization. As you record the processing activities, you must identify the purposes for processing personal data and any transfers of personal data to countries outside of the EU. The amount and categories of data you handle will affect the cost of this step for you. A low volume of data ($) will obviously take less time and money, while large volumes of data ($$$) will cost more. The number of processes and number of data types will also play a significant role in the final cost.

3. Gap assessment

A gap assessment will include a comparison between current controls, policies and procedures vs GDPR control requirements ($$$). During your gap assessment, you’ll start by asking--Do we have adequate policies and procedures in place to address data subjects’ rights defined in the GDPR? If not, you’ll need to implement or update (step 4).

4. Policies and procedures

This is the step where you’ll implement and update initial and ongoing policies and procedures to address GDPR data protection requirements ($-$$).

5. Modify processes

To verify you are addressing all aspects of the data life cycle and rights of data subjects, you should modify your processes to be GDPR-compliant ($$$).

See also: GDPR 101 Part 2, GDPR 101 Part 3

6. Train employees

Employee security training is always important but even more so when implementing new controls related to GDPR compliance. You don’t want your hard work, planning, and investment to go to waste because you skipped training employees ($-$$). You can find ideas to train employees on security here and here.

7. Monitor compliance

Compliance monitoring oversight responsibilities should be assigned internally. Monitoring compliance involves many departments: IT and Operations, Development, Marketing, Sales, etc. It involves training employees, following up on that training, and investing in the security technologies needed to ultimately protect and honor data subjects’ rights. ($$$$)

Note: At any time, you could consult legal counsel to advise and support you in completing these steps. You might seek legal help to draft privacy notices or add data protection requirements to contracts with data processors, who may process personal data on your behalf.

Obviously, legal costs will augment the total costs of GDPR compliance.

See also: PCI vs. GDPR Blog and GDPR FAQs

The cost of not complying with GDPR

It’s worth noting that there are possible inherent and external costs for not complying with GDPR. Fines from supervisory authorities in the EU can reach up to 20 Million Euros or 4% of annual global revenues, whichever is greater. Protecting the rights of data subjects is a serious business, and as the value of personal data rises, so could fines.

If you have questions about GDPR, PCI compliance, HIPAA, or general data security, please contact us here.

Join thousands of security professionals.

Subscribe Now

Free Security Course

View Course

Get Quote for GDPR Compliance

Request a Quote
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000