GDPR compliancy costs to exceed $1M for many

GDPR compliancy will cost businesses a pretty penny says the results of Netsparker's GDPR Survey. A survey of more than 300 C-level security executives, conducted online by Propeller Insights on behalf of Netsparker in March 2018, found that companies are taking the new General Data Protection Regulation (GDPR) much more seriously than HIPAA and PCI: 99 percent are actively involved in the process to become GDPR-compliant, despite the cost and internal reorganization involved.

GDPR is a new set of regulations the European Union (EU) has put in place to protect their citizens’ sensitive data from cybersecurity breaches. Under the terms of GDPR, strict conditions govern how organizations gather data and how it is managed. Organizations that fail to comply will face penalties. GDPR will go into effect May 25, 2018.

Companies seem to be taking GDPR very seriously. While many still aren’t PCI and HIPAA compliant, almost all (99 percent) of the security executives surveyed said their organizations are actively involved in the process to become GDPR-compliant.

• About half (49 percent) are 75 percent of the way through the process
  
  
• Another 37 percent are halfway there
  
  
• More than two-thirds (71 percent) are confident that they’ll be fully compliant by the May 25 deadline
  
  
• Only 2 percent say it’s unlikely that they’ll be ready

In preparation for GDPR, 57 percent of companies are re-engineering internal systems and procedures, 55 percent are recruiting new people specifically to tackle GDPR compliance, and 48 percent are re-engineering internal security teams.

“People are taking GDPR seriously because of how many high-profile data breaches we have all witnessed in the last few years,” said Ferruh Mavituna, CEO of Netsparker. “In the past, blame for data breaches was shifted around from party to party. Was it the business? The individual? The government? GDPR removes the ambiguity. As of May 25, businesses are responsible for data breaches. As a result, companies will have to restructure how they handle data, and, if they don’t have a sound IT infrastructure, they will have to rebuild from the ground up. It’s heartening to see that so many companies are taking themselves to task.” 

GDPR Costs

• 1 in 10 say GDPR compliance will cost their business less than $10,000
  
  
• About two-thirds (36 percent) will spend $50-100,000
  
  
• About a quarter (24 percent) will spend between $100,000 and $1 million
  
  
• 1 in 10 say GDPR compliance will cost their business more than $1 million

Although 82 percent of companies currently have a data privacy officer (DPO) on staff, 77 percent plan to hire a new, replacement DPO prior to GDPR going into effect. More than two-thirds (37 percent) of businesses have had to hire at least six new employees to achieve GDPR compliance, and almost 1 in 5 (19 percent) have had to hire at least 10.
Meanwhile, security executives working in healthcare and finance report the most resistance to GDPR:

• 14 percent of healthcare companies have only completed 25 percent of the GDPR compliance process, and 7 percent are unlikely to be GDPR-compliant by May 25
  
  
• 21 percent of finance companies have only completed 25 percent of the GDPR compliance process, and 3 percent haven’t even begun the process

Security executives expect the technology industry will be most affected by GDPR (53 percent), followed by:

• Online retailers: 45 percent
  
  
• Software companies: 44 percent
  
  
• Financial services: 37 percent
  
  
• Online services/SaaS: 34 percent
  
  
• Retail/CPG: 33 percent

The vast majority (82 percent) say GDPR will be a positive thing for third-party companies in e-commerce, because it will cause them to take security and privacy more seriously, including: better evaluating third-party contractors (36 percent), making sure business partners are GDPR- compliant (28 percent), and checking the location of all business partners with whom data is shared (22 percent).