Businesses like certainty, particularly in the current economic climate when that can be hard to come by. But when it comes to privacy compliance, it’s difficult to put an exact figure on how much it costs to get privacy sorted. The International Association of Privacy Professionals, for example, puts the range anywhere from £100 to a few million pounds.
One thing experts are in agreement on though, is that non-compliance costs more. It’s estimated getting privacy wrong costs more than twice as much as investing in compliance. Fines alone can stretch into the billions – Facebook owner Meta was recently fined €1.2bn by regulators for mishandling the transfer of European data to US servers.
There are many factors that determine what your data protection budget should be, including the size of the organisation, the amount of personal data processed and what you then do with it. Before the GDPR became law, PwC discovered 68% of the large companies it surveyed planned to spend between £1m-10m to make sure they met the then new requirements. Smaller companies wouldn’t have been spending anywhere near that figure.
The sector an organisation operates in will also play a factor. A Statista report found, among FTSE 100 companies, banks spend more than three times as much on GDPR compliance as the next closest sector (telecoms). Other considerations when drawing up a budget include whether you’re building upon an existing privacy programme, or if any new IT systems will be required. How, for example, are you handling situations where customers withdraw their consent for marketing or other data processing? And how are you processing Subject Access Requests within the required timeframe?
Here is a list of other costs to consider when you’re trying to get privacy sorted.
Data protection fee
Organisations must pay a data protection fee to the Information Commissioner’s Office unless they’re exempt. The annual fee depends on a company’s size and turnover but is usually £40-£60 for charities and SMES. Larger businesses could pay up to £2,900.
A privacy notice is only one of several documents required under UK data protection law so it’s important you get them all right. There are lots of free templates available online but they are typically of questionable quality and you may feel more comfortable asking a lawyer or consultant to help. However, drafting policy documentation is definitely not a task which can be outsourced wholesale. Only the organisation itself really knows what personal data it has, what it does with it, where it got it from and who it shares it with.
With up to 90% of data breaches involving human error, staff training is an absolute necessity. You need to get a company-wide commitment on privacy, run regular training, and keep employees in the loop about the measures you’re taking to look after data. The cost of training courses range wildly – we’ve found some as low as £25 per person for online beginner’s courses, up to £229 per person. In-person training will of course cost more.
Employing a Data Protection Officer
The law requires an organisation to appoint a data protection officer (DPO) if it’s a public authority or body; if the organisation’s core activities consist of data processing operations that require systematic monitoring of data subjects on a large scale; or if the core activities consists of large scale processing of special categories of data, such as health. You can choose whether you appoint an internal or external DPO under contract. If you’re hiring someone internally, a quick look on Indeed.com would suggest that annual salaries tend to be in the region of £75,000 and you’ll have to add national insurance costs and benefits to this. There is also a skills shortage in this area, which can make good DPOs hard to recruit and retain.
Hiring a privacy consultant
You could hire a privacy consultant who might also be able to act as your Data Protection Officer on an ongoing basis. Average day rates are around £440 per day but this will vary depending on the industry and size of the organisation – smaller businesses in retail or hospitality for example, may only have to pay £175 per day, where larger organisations will be looking at paying more than £1,000 per day.