The GDPR is shaking up IT budgets and reflections of all companies dealing with the personal data of European citizens.
Consequently, GDPR alignment is widely used by many consulting companies as a development of their turnover. These companies have seen a very lucrative opportunity to approach May 25, 2018, offering "simple solutions", with a huge budget.
The wave of marketing around the GDPR suggests that becoming compliant is an important obstacle, expensive and delicate. Wrong! at least not systematically...
Understanding the GDPR
This is the start point before any compliance process. Knowing the regulations in broad outline helps to better identify needs, to exclude unnecessary actions, and to avoid scams and excessive investments.
Three terms to have in mind prevail in the new regulation: Security, confidentiality and responsibility.
Security and Confidentiality
Too many managers do not understand (or do not want to understand) that security is a different concept of data privacy (confidentiality).
It is possible to have a correct level of security (data encryption for example) but not to respect the new principles of confidentiality according to the GDPR (right to forget, right of consultation, right of portability...).
It is wrong to believe that just because the data is secure, confidentiality is respected. These are two distinct objectives that need to be achieved in sometimes different ways.
If the GDPR requires a deep reflection on the data management and an audit of the IS, this does not systematically lead to an overhaul of the IS!
Indeed, the principles set out by the GDPR are broadly similar to the principles set out in the Data Protection Directive, which has been in place since 1995. Your company may not be so far off the mark, although the GDPR specifies some terms and concepts like “responsibility”. The companies concerned are indeed guarantors of the respect of the principles of the regulation, and must be able to demonstrate that these are respected.
Lawfulness, Loyalty and Transparency / Purpose limitation / Data Minimization / Accuracy / Limitation of Retention / Integrity and Confidentiality (+ Responsibility)
The idea behind this is that companies are led to prove their approach. This necessarily involves an investment in:
- employee awareness
- an audit of the IS
- an impact assessment (PIA)
- purchasing technical solutions to bridge compliance gaps
You will have to estimate a budget for each of the previous step.
Calculate your budget for a GDPR approach
Awareness / internal training
Like any organizational change in companies, it is necessary to raise awareness among its teams to facilitate the transformation and adoption of new internal processes.
You will need to provide training for managers.
It will take about 900 € per person per day.
Also, it will take days / men internally to carry out communications or awareness meetings.
An essential step before any decision is the audit of your IS. Depending on your internal resources, you may need to use an IS provider. The costs related to this part will be dependent on:
- The size of your business,
- The amount of data stored in the chosen system (CRM, ERP, etc.)
- The complexity of its architecture.
To give you an idea, you can estimate 3 to 10 days of intervention of a project manager, 700/900 € per day for each system.
Impact analysis (PIA)
Following this audit, you will have to perform the data privacy impact analysis (PIA in the GDPR). For that, you have two choices: to do it alone or to benefit from the help of a law firm. The second solution is the most reliable but not mandatory, nor the most economical!
Count around 200 € / hour (knowing that it takes about 1 day of work for the redesign of a subcontracting contract for example).
The fixes that you will have to carry out following your audits and your impact analyzes are much more difficult to quantify because it is really case by case (improvement of the security, update of the processes guaranteeing the confidentiality, strategy of data backup, etc.)
**To clear the ground a bit, you can count:
- 700/900 € per project manager day of an IT service provider
- 600/800 € per developer day of an IT service provider
- 200 € / hour of legal advice
- Resources to be mobilized internally**
Invest in technical solutions
There is too much misinformation about the GDPR deadline. The politics of fear is pushing companies to buy solutions without even thinking about the data management model.
Investing in technical solutions may be necessary. However, do not start there.
The solutions to be implemented must only fill the gaps, identified during the audit and the impact assessments. If corrections are to be made to the data management, the compliance will probably go through an increase in the IT budget, but not necessarily: avoid over-quality or zeal that will lead to significant and unnecessary additional costs.
For information :
- 40% of French companies do not plan to increase the IT budget
- 30% expect an increase between 1 and 10% of their IT budget
- 30% expect an increase of more than 10% of their IT budget
To avoid scams...
Know the rules, make sure they understand them.
Check our GDPR compliance checklist.
Designate a internal GDPR referent.
Audit and analyze the risks related to security AND confidentiality.
Identify the risks and define the needs to minimize it (if necessary!).
Identify solutions to address gaps regarding GDPR compliance.
Note that a properly framed, implemented and documented approach will help you avoid budget overruns.