top of page
Search

GDPR: The Cost of Continual Compliance

  • Writer: amalabdreamz
    amalabdreamz
  • Nov 9, 2018
  • 3 min read

INTRODUCTION

Speaking to experts in Data, Compliance and Legal in global business, one question that many face is: What is the total cost of continuous compliance in the next 3 years?

This is an important question as it helps to define the strategic approach to resolve continued compliance, after May 25.


We anticipate that, according to our conversations, business leaders expect that the continued compliance of GDPR costs more than £ 10 million over three years, as a conservative figure.

The problem of £ 10 million.


Two new data points have been headlines in recent weeks.

The first article suggests that “three out of five [citizens of the United Kingdom] plan to question the amount of data that companies have about them.”

The second, a new study, found that “large companies expect to get an average of 246 GDPR queries per month, for which they will need to search in 43 databases (seven minutes per search), which is equivalent to almost 60 hours of search … per working day or 7.5 employees dedicated exclusively to GDPR queries “.


What the study does not take into account is the fact that many organizations, affected by various policies and procedures of InfoSec, simply can not transfer logins and access credentials to financial systems, human resources or email to this small team.


Therefore, there is an additional effect that should be taken into account when this small team should look for personal information in response to data requests, which will involve several key stakeholders (who do have access permissions to various systems) of all the company. distracting them from other activities.


The study also assumes that the data is in a modern, structured and orderly database, such as a CRM or a sophisticated billing system. The duration of these requests increases significantly when you begin to consider legacy systems, stand-alone applications and unstructured data sources, such as emails.


Personally, I think the amount of FTE that is realistically required to handle the anticipated number of queries is closer to 20 FTE (in a large company), which will naturally increase and decrease throughout the year (which means that the use of this equipment also vary). The average cost of a UK-based analyst working on a GDPR team is around £ 40k per year, which equals around £ 2.4m for three years (plus all other expenses related to expenses) . ). general).


In addition, many organizations that have defended old and old data management systems are now forced to upgrade to more modern, more accessible and more secure tools, or to use ‘human APIs’ to act as the bridge between disparate systems through their technology stack.


On paper, the decision to update systems is a problem, however, in reality, there is no single technology that can help companies to comply and, therefore, companies need to evaluate a wide range of tools such as Master Data Management Systems (MDM). ), IP anonymization tools, improved security and encryption systems / protocols and a variety of other business tools that can cost between £ 1m – £ 3m per year (around £ 9m in 3 years) for PLUS technology. Management and interruption of commercial operations.


Finally, the most critical aspect for Continuous Compliance is the information. Large companies that have grown inorganically, that is, through M & A activities and even organically (housing data in different locations through their businesses) will have infrastructure and Frankenstein data in their businesses. The identifications of clients, names, addresses, dates, contact information, etc., that do not coincide, must be standardized or labeled effectively before entering any of the systems mentioned above.


Tools such as MDMs are often equipped with the ability to collect multiple records in a “Golden Record” (single view of a person) from different structured data sources, but often fall off when it comes to unstructured data (such as emails or chat). ). communications).


In addition, many of the organizations with which I am speaking have a great challenge with regard to dark data or, worse, paper data, which must now be scanned, tagged and stored in a safe place to comply with the change. 30 days of Data Subject requests.

 
 
 

Comments

  • Facebook
  • Twitter
  • Google+
bottom of page