What Will it Cost to Become EU Data Law Compliant?

What Will it Cost to Become EU Data Law Compliant?
September 02 12:25 2015 Print This Article

Financial Implications of GDPR | What Will it Cost?The EU data law is due to come into effect in December 2017, and between now and then customer-focused companies face the greatest workloads and highest costs in compliance preparation.

Becoming General Data Protection Regulation (GDPR) compliant will vary, but there is no shortage of estimates designed to act as guidelines. However, 87% of companies surveyed are unable to calculate the budget that will be required, and 82% of the 506 companies asked said they are unaware of their current spending on existing compliance rules.

A sizeable minority believe there are no financial implication of any kind in preparing for GDPR. A representative of the Information Commissioners Office (ICO) said recently that there would be leeway for companies and other organisations that have made a recognisable attempt to be compliant, but not succeeded. Token efforts would not count.

One responder to the survey predicted that GDPR would cost their company £5 million to become compliant, and £1 million a year to maintain it. The Ministry of Justice produced research of its own that concludes the cost to UK business could be as high as £320 million a year, and £2.1 billion over fourteen years. These sums are countered by the belief that a greater emphasis on compliance regulations will save between £42m and £124m in fines imposed by the ICO.

A report for the Information Commissioners Office finds that to appoint a data protection officer to oversee compliance will cost between £50,000 and £75,000 annually, and for UK businesses of all types a total of £229 million. For SMEs it could add £182 million to salaries, and for larger companies £47 million.

The EU itself predicts the cost to European business will be £580m, and there will be a £2bn administration saving for pan European brands because multiple national data rules will no longer exist. This ignores the fact that regulatory authorities in each European country will have leeway to enforce and apply sanctions as they see fit, meaning marketers will still contend with different regulatory regimes with their own interpretations of the law.

Compliance challenges

Consumer-facing financial companies are estimated to have to pay between £100,000 and £500,000 to become compliant, but just as important is the loss of revenue created by a failure to obtain the new higher level of opt in consent from consumers, which will lead to losses of revenue running into tens of millions.

Other Big Data users, such as the utility, grocery and IT sectors will also face major compliance challenges. The report claims charities and membership organisations may find fundraising impossible, and extra revenue will have to be found by them to cover a necessary increase in telemarketing.

In the data sector itself the Direct Marketing Association believes tighter regulations on consent could lead to a 50% fall in turnover for list brokers, and a similar drop in business for data cleaning services.

Data companies could face a one off cost of £500,000 for system development in order to meet consumers ‘Right to be forgotten’ and subject access fees. Data portability will cost another £100,000 in system changes.

Digital advertisers still require clarification on how pseudonymous data will be treated within GDPR. If the law goes against their interests the Internet Advertising Bureau believes there will be a £633 million a year loss in advertising revenue.

Most companies that employ 250 people or more, and those with more than 100,000 consumer data files, already have a job position focused on compliance. The cost to train them on GDPR will be £7,600.

Whatever the costs will be for individual companies the cheapest way to tackle GDPR is to start preparing as soon as possible. The later it is left the more expensive and disruptive it will be, and the time available in which to prepare will already not be enough for some large consumer-facing companies that are heavily reliant on marketing databases.

After December 2017 the ICO could come knocking at anytime, plus members of the public may be given the right to claim damages for misuse of their information. A PPI-style claims bonanza is something all companies could do without.

Article originally published here.

view more articles

About Article Author

GDPR Associates
GDPR Associates

View More Articles
write a comment


  1. trinaeanes
    August 11, 11:24 #1 trinaeanes

    I аm sure this piece of writing has touched all tһe internet viewers,
    its really really fastidious piece of writing.

    Reply to this comment
  2. isiahboose
    September 22, 20:16 #2 isiahboose

    You’ve made some really good points there. I looked on the web for more information about the issue and found
    most people will go along with your views on this site.

    Reply to this comment
  3. franceslangley
    October 12, 17:51 #3 franceslangley

    Wonderful blog! I found it ѡhile searching on Yаhoߋ News.

    Reply to this comment

Add a Comment