If you do a quick Google search for 'GDPR budgets', 'budgeting for the GDPR' or 'how should I budget for the GDPR', most likely you will land up down the rabbit-hole of the enormous, unprecedented and truly frightening fines for non-compliance. This happens only after you've scrolled down an entire page in terror, reading snippets of how massive the budgets can be and how far into the unknown you are now venturing. Take a deep breath and carry on.
There are obvious GDPR costs
There are obvious costs attached to services and tools that assist you with demonstrating compliance or tools that ensure you have the information you need right here and right now (Libryo being one of them). There will be costs attached to upgrading IT hardware and software systems. There will be costs for audits and advice. There will be costs for training. There will be costs attached to policy and contract reviews. There are also hidden costs that are often not spoken about. What are they?
Before I go into that, I would like to briefly share a portion of my philosophy on the GDPR and data protection in general. I believe that respect for privacy should be a core value of every organisation. This core value should be a foundation for decisions that get made, projects that planned and strategies that are implemented. Respect for privacy extends to having respect for data subjects which would include the people inside an organisation and people adjacent to an organisation. Is respect for privacy woven into the very fabric of everything that you do in your organisation? Most likely not and therein lies the rub for most organisations attempting to achieve a level of compliance or demonstrability of compliance.
And then there are the hidden costs
When I do an external audit with an organisation and we begin to map personal data and examine the personal data flow within the organisation, a general awareness begins to emerge of the magnitude of the personal data held by the organisation. Very soon after that, a personal awareness comes to the fore within the people who work with and are responsible for this personal data. (If you don't believe me, scroll to the end to do an exercise for yourself to experience this phenomenon.) Data is an asset and it can be a massive liability. Personal data must be managed. Without exception, when an employee realises the scope of the responsibility they have toward the personal data they manage and the implications of mismanagement for the organisation in the form of the fines for non-compliance and other penalties, they experience major stress.
On a good estimate, you will most likely add on extra time of 15% to 20% per task during a working day by implementing controls and processes. Working toward compliance in the area of data protection is going to cause your employees stress. People react to stress in different ways. Some people go into overdrive and others might just switch off entirely. Without a doubt, there will be a loss of productivity within your organisation caused by stress that will result in time off. Do you have enough of a buffer in your organisation to absorb this loss?
You could hire in a compliance professional for the organisation or each department (and I would encourage this) but you will still face a loss of productivity while the person finds their feet. You will have to invest in some change management in a form that suits your organisation. You will have to invest in some human resource consulting. Every person in your organisation that deals with personal data will have a duty toward the organisation and the data subjects to ensure they are dealing with that data correctly. This data protection duty and their new responsibilities will have to be communicated to them. Contractual duties or KPAs will have to be amended and staff training on data protection and privacy will have to happen.
To give you some perspective, think back to the days when computers were introduced into the workplace. People were scared and stressed. Organisations took a hit on productivity so that they could enhance performance and productivity thereby increasing revenue in the long run. Think about data protection in this context and prepare your staff for the change. Spring cleaning your personal data bloat, or in technical speak cleansing the data, can and should be a positive experience for your organisation. I can guarantee you as one example that your marketing will become far more focused and you will not feel that you are shouting into the wind when you send out the company newsletter.
Investing now, to recoup hidden GDPR costs
My advice to organisations starting out on the journey towards being able to demonstrate compliance (it is quite a mouthful, but this is how we say it) with the General Data Protection Regulations, ePrivacy Regulations (not in final form yet) and data protection principles generally is to invest in services and tools to mitigate the loss. These include:
- professional assistance in the form of data protection consulting and auditing services that will put you on the fast track and give you assurance that you are focussing on your high-risk areas at the outset
- investing in the informational and management software tools as they will cut down the time required for compliance by at least 80%
- HR consulting that will get your staff members thinking positively and in doing so be more prepared for the changes within their roles
- getting your management structures on board, aware and talking about data protection at all levels
- getting your staff trained
By implementing these suggestions during your data protection compliance process, you will build the buffer your organisation needs to recoup some of the hidden costs, ensure a healthy increase in productivity and ultimately create an increase in revenue.
I have included a very simple exercise for you to do. Download this PDF file, print it (YES, actually do print the piece of paper) and sit with a pencil or pen and fill in the table demonstrating the flow of personal data within your job role.
Philipa Jane Farley is a guest blogger for us at Libryo. She provides external auditing, training and advisory service to SME's in the privacy law space. Her aim is to make the GDPR/ePR change and compliance process as painless as possible.