Benchmarking the Cost of Compliance
Ready or not, the Age of Privacy is here. And as the California Consumer Protection Act (CCPA) approaches, we’re sharing the lessons learned from organizations who spent 2017 and 2018 working toward GDPR compliance.
Compliance refers to a system where everything is current and up-to-date: data maps are updated automatically, processing an accurate Data Subject Request (DSR) is operationalized and systemized, and business systems are continually monitored for changes and field updates.
We surveyed 300 privacy professionals — at organizations large and small — affected by GDPR/CCPA. What did they learn one year following the GDPR deadline that could help companies now as they prepare for CCPA?
The Opportunity Cost of Compliance
Many of our discoveries were expected: most organizations wished for more time to prepare, and it took most companies 7 months to achieve GDPR readiness.
Alarmingly, companies invested substantial time and resources toward becoming GDPR ready, but their solutions aren’t scalable to support future regulations. Over 50% of the companies surveyed developed an in-house solution, yet 71% of these companies agree that the systems in place can’t scale to support emerging regulations. Further, 9 out of 10 companies plan to hire at least 3 people to manage privacy regulations in the next 2 years.
It’s important to take a moment to understand the gravity of these findings. Companies likely spent thousands of dollars to create a system they know is a stop-gap solution that won’t scale to support future regulations, revealing that the opportunity cost of becoming compliant has a far-reaching footprint.
This leads to the operational cost of privacy compliance. The cost spans far beyond the financial, and it’s ongoing. In fact, 3 out of 4 companies spent over $100,000 on technology solutions or consulting services to become GDPR ready, and the average company spent about 2,000 – 4,000 hours in meetings to prepare for GDPR — with 25+ employees involved.
Ultimately, the impact of GDPR is reflected in the opportunity cost of diverting dozens of employees to unpack GDPR as well as introducing the likely risk of human error by involving so many employees in the process.
Now, the good news. Some companies are taking the right steps to ensure that compliance is sustainable in the long-term. 9 out of 10 privacy professionals recognize the importance of a data inventory, and 30% of companies are automatically updating it.
Compliance must be viewed as an ongoing effort, and the key is to invest in solutions that can automate manual processes and integrate across business systems and third-party services.
Sustaining compliance requires that you:
- Understand the complexities and unique requirements of each regulation
- Continually identify systems — both existing and new — that hold regulated data
- Put practices in place to update those systems when new information is added
- Operationalize data privacy requests while minimizing processing risks
- Easily adapt to regulatory changes or amendments that impact any of the above
To learn more about what steps your peers are taking toward privacy compliance, check out the Age of Privacy: The Cost of Compliance Report, and let us know what you think!