• by Ray Schultz , Columnist, October 26, 2017

Much has been written about the penalties contained in the General Data Protection Regulation (GDPR). But what will it cost to comply with GDPR?

It will run around $1 million just for technology, according to a survey by the global law firm Paul Hastings LLP. 

Specifically, firms listed in the Financial Times Stock Exchange 350 expect to spend £430,000 on technology and Fortune 500 companies expect to lay out $1 million. It’s their biggest GDPR budget item.  

That doesn’t mean they are spending it. Only 10% of firms in the UK and 9% in the U.S. have purchased new technology to date. 

'Our research shows that, while large businesses are taking GDPR compliance seriously, there remain worrying signs that they may be falling short in planning for implementation next May,” states Behnam Dayanim, partner and global co-chair of the Privacy and Cybersecurity practice at Paul Hastings.

Dayanim adds that “£430,000 or $1 million may seem a large sum, but for many larger and more complex companies, it reflects a small portion of the technology.

The news comes as a plethora of firms are announcing GDPR compliance solutions.

Paul Hastings surveyed 100 general counsel and chief security officers at FTSE 350 companies, and 100 at Fortune 500 firms.

Technology aside, companies are budgeting for new hires to deal with regulatory issues. Of those polled, 40% o the FTSE firms have allocated from £201,000 to £400,000 for new permanent staff. In the U.S., 34% have set aside $501,000 to $1 million.  

They are also preparing to shell out for legal advice.

The survey found that FTSE firms have budgets for third-party legal support. But 17% of the UK firms and 22% of their U.S. counterparts have no such budgets.

Of course, these costs are only a fraction of what firms might be fined for violations when GDPR takes effect next May — up to 4% of their global turnover.

“The GDPR is high-stakes,” Dayanim notes. “The consequences of violation can be immense, both in terms of fines and in potentially crippling disruption of a business’s ability to exploit what in many instances is its most valuable asset. And the clock is ticking.” 

Dayanim continues that “GDPR compliance can entail substantial revision to existing procedures and systems. Companies that haven’t yet begun already may find themselves in difficult straits come May; certainly, those that have been dragging their feet would be well-advised to strap on the running shoes and try to catch up.”