The General Data Protection Regulation (GDPR) has now been in force for two years. The European Commission has reviewed the past two years and subsequently released a report based on the successes and failures of the GDPR.
The General Data Protection Regulation (GDPR) has now been in force for two years. The European Commission has reviewed the past two years and subsequently released a report based on the successes and failures of the GDPR. The report found that 69% of over 16s in the EU were aware of the GDPR and 71% have heard of their national data protection authority that is in place to assist with GDPR compliance.
The GDPR ensures that there is now one set of European regulations to work with which means that all businesses in the internal market have to operate within the same parameters when it comes to data and can benefit from the same opportunities. The GDPR cannot be read in isolation, as it gives Member States limited opportunities to make provision for how it applies in each EU country. It is therefore important to have regard to the Data Protection Act 2018. Crucially, the GDPR has encouraged customers to increasingly consider the way companies handle privacy when choosing their services, thus encouraging businesses to ensure they are GDPR compliant.
SMEs and the cost of compliance
An Egress report conducted in September 2019 found that 52% of organisations were not fully compliant with the GDPR. Many small and medium sized companies put this down to the costs involved in ensuring compliance.
A PwC report found that 77% of survey respondents intended to spend between $1 million or more on making their practices GDPR compliant, with 68% planning to spend between $1 million and $10 million and 9% saying they will spend over $10 million. Some organisations may underestimate the cost involved, and/or may not be able to afford the high costs associated with ensuring their practices are GDPR compliant.
Is the cost of compliance unsustainable?
The cost of GDPR compliance will depend on a number of factors including the size of the business and the amount of data that is processed. Inevitably, processing large volumes of data will incur more costs. The way in which data is stored is also important, as companies will need to undertake regular review of the storage facility to ensure it remains secure.
What areas of the GDPR incur the greatest costs?
Incorporating technological defences into a company’s IT systems is one way to combat data breaches, however it may not be the most cost-effective. Systems such as encryption tools and malware detection are effective ways to safeguard data. However, even top of the range systems will be insufficient if employees do not use the technology effectively in preventing data breaches. Training is therefore crucial but a further cost to the employer.
Organisations must also implement processes tailored to the individual needs of each department to manage risk of compliance breaches. These processes should be monitored regularly, which can incur high costs. Many organisations have also employed a Data Protection Officer to monitor the organisation’s GDPR compliance.
For non-compliance and infringing the GDPR code of practice, the GDPR gives the data protection authority (in the UK, the Information Commissioner’s Office) the right to impose fines of up to 2% of their annual turnover or €10 million, whichever is higher. For actual breaches of personal data, fines can be up to €20 million or 4% of an organisation’s global annual turnover.
Between May 2018 and November 2019, data protection authorities in the EU issued 785 fines.
Other penalties include warnings and reprimands, orders to comply with data subjects’ requests, orders to bring processing operations into compliance with the Regulation and to resolve, remove or limit processing.
Notable cases include British Airways being fined £183.4 million for a data breach that occurred in 2018. That same year, the ICO fined Marriott £99.2 million for a historic data breach.
It is possible that the costs involved in making an organisation GDPR compliant may be disproportionately high for small and medium sized companies. However, with an increasing number of fines being issued, the risk of non-compliance could bring costly financial penalties that may outweigh the initial expense associated with ensuring compliance. Ultimately, unless there is some change forthcoming to subsidise or alleviate the costs of compliance, for many small businesses these hefty fines could put them out of business.
 “GDPR Compliance – where are we now?” Research commissioned by Egress, Independently conducted by OnePoll
 PwC GDPR Preparedness Pulse Survey, December 2016