How much? The cost of getting privacy right

Experts estimate it costs twice as much to get privacy wrong as it does to get it right in the first place

By Emma Sheppard

Writer

October 2023

Businesses like certainty, particularly in the current economic climate when that can be hard to come by. But when it comes to privacy compliance, it’s difficult to put an exact figure on how much it costs to get privacy sorted. The International Association of Privacy Professionals, for example, puts the range anywhere from £100 to a few million pounds. 

One thing experts are in agreement on though, is that non-compliance costs more. It’s estimated getting privacy wrong costs more than twice as much as investing in compliance. Fines alone can stretch into the billions – Facebook owner Meta was recently fined €1.2bn by regulators for mishandling the transfer of European data to US servers. 

There are many factors that determine what your data protection budget should be, including the size of the organisation, the amount of personal data processed and what you then do with it. Before the GDPR became law, PwC discovered 68% of the large companies it surveyed planned to spend between £1m-10m to make sure they met the then new requirements. Smaller companies wouldn’t have been spending anywhere near that figure. 

The sector an organisation operates in will also play a factor. A Statista report found, among FTSE 100 companies, banks spend more than three times as much on GDPR compliance as the next closest sector (telecoms). Other considerations when drawing up a budget include whether you’re building upon an existing privacy programme, or if any new IT systems will be required. How, for example, are you handling situations where customers withdraw their consent for marketing or other data processing? And how are you processing Subject Access Requests within the required timeframe?  

Here is a list of other costs to consider when you’re trying to get privacy sorted. 

Data protection fee

Organisations must pay a data protection fee to the Information Commissioner’s Office unless they’re exempt. The annual fee depends on a company’s size and turnover but is usually £40-£60 for charities and SMES. Larger businesses could pay up to £2,900. 

Documentation

A privacy notice is only one of several documents required under UK data protection law so it’s important you get them all right. There are lots of free templates available online but they are typically of questionable quality and you may feel more comfortable asking a lawyer or consultant to help. However, drafting policy documentation is definitely not a task which can be outsourced wholesale. Only the organisation itself really knows what personal data it has, what it does with it, where it got it from and who it shares it with.

Staff training

With up to 90% of data breaches involving human error, staff training is an absolute necessity. You need to get a company-wide commitment on privacy, run regular training, and keep employees in the loop about the measures you’re taking to look after data. The cost of training courses range wildly – we’ve found some as low as £25 per person for online beginner’s courses, up to £229 per person. In-person training will of course cost more. 

Employing a Data Protection Officer

The law requires an organisation to appoint a data protection officer (DPO) if it’s a public authority or body; if the organisation’s core activities consist of data processing operations that require systematic monitoring of data subjects on a large scale; or if the core activities consists of large scale processing of special categories of data, such as health. You can choose whether you appoint an internal or external DPO under contract. If you’re hiring someone internally, a quick look on Indeed.com would suggest that annual salaries tend to be in the region of £75,000 and you’ll have to add national insurance costs and benefits to this. There is also a skills shortage in this area, which can make good DPOs hard to recruit and retain. 

Hiring a privacy consultant

You could hire a privacy consultant who might also be able to act as your Data Protection Officer on an ongoing basis. Average day rates are around £440 per day but this will vary depending on the industry and size of the organisation – smaller businesses in retail or hospitality for example, may only have to pay £175 per day, where larger organisations will be looking at paying more than £1,000 per day.

If you want more practical content like this article, please click below to sign up for our monthly newsletter.

Sign up now

Software

DPO service providers may also ask you to buy additional software to support their work, or you may decide to invest in automation to speed up some tasks, assist with data mapping and demonstrating compliance to regulators. Security software can also make employees’ lives easier with two-factor authentication (2FA) and email protection, costing anywhere from free to £5 per user, per month. There may also be other cybersecurity software that you’re prepared to invest in to minimise the potential of certain threats – firewalls alone can cost from £40 to £500 per month

Lawyers

Privacy and data protection lawyers know the law but hiring them to help you put an ongoing privacy programme in place can quickly become extremely expensive. Hourly rates start from £200 and go as high as £1,000 for a senior partner. They’re also unlikely to know enough about your business and how you’re using data, focusing instead on the letter of the law. Privacy compliance isn’t just for the lawyers after all. You may be able to find a lawyer that will give you a project cost, but that cost will still be based upon those hourly rates and lawyers aren’t exactly famous for their speed of delivery.

Answer our GDPR compliance checklist questions and we will email you an objective, personalised audit report within minutes, completely free of charge.

Get your audit

Or a programme that puts it all in one place?

The Privacy Compliance Hub is a simple, structured, comprehensive privacy compliance programme built by experienced tech lawyers. It shows you what to do, gives you everything you need and enables you to demonstrate what you’ve done. It builds a culture of continuous compliance from the ground up within your organisation, making it easy for everyone to understand. You’ll have access to relatable training content, up-to-date templates, breaking news updates, and robust reporting tools. Plus, it’s one of the most cost effective solutions on the market – subscription can be as low as £31 per employee per year.

More to watch and read

SHARE THIS ARTICLE

Confused by international data transfers? Ask yourself these six questions

Businesses are hoping it’s third time lucky for the Data Privacy Framework between the EU and US but what if you want to transfer data to a company in the US which hasn’t signed up to it? Or you want to transfer personal data to another country? Here’s what you need to know.

Read more

10 Things to Tell Your Customers About Privacy

An average consumer’s data is held by 350 brands and it’s making them nervous. Here’s why it’s important to be transparent about what you do with your customers’ personal information

Read more

In figures: The cost of getting privacy wrong

Budgets are tight at the moment but the cost of getting privacy wrong is greater than you might think

Read more