If you haven’t heard of GDPR by now you’ve either been on a deserted island, went on a digital detox for the last 6 to 12 months, or… anyway you’re one of the few (happy) people not worrying about it’s impact… yet.
If you have heard of GDPR or are busy implementing it, you might be wondering what your implementation budget should be, how big the gap can be and how to convey the message in a simple way to all of your colleagues & management.
In terms of total GDPR implementation budget – we’ve seen ranges from 0,01 to 1% of global turnover – depending on the size of the company, it’s margin and risk level in terms of personal data exposure.
This range provides an indication but companies with high legacy and medium to high risk have to assume a total budget of about 0,5% to 1% of global turnover.
This refers to the total budget to implement (not the yearly budget).
As GDPR doesn’t end on the 25th of May 2018, the design of your solutions, architectures, policies, procedures, processes and organisations is crucial to prevent high GDPR maintenance costs.
It’s therefore important to extend the GDPR business case with other benefits. If done well, the investment in GDPR will serve business goals like operational excellence, better analytics & insight, innovation, better customer view, more accurate next best action & next best offer with higher conversion rates,….
With GDPR there’s no such thing as “one gap” – as GDPR covers several aspects: legal, processes & organisation, policies & procedures, documentation/register, information and data management, IT/tech, security,… .
Many companies find the gaps to be substantial as GDPR forces them into managing their (wide scope of) personal data, keeping track of it and making sure no unnecessary personal data is collected, stored or processed.
For years data management was considered a burden and a cost for many companies, with little to no direct visible impact on revenue or cost savings.
Successful data-companies however, used data & information management to either grow fast, optimize customer experience, improve operational excellence, disrupt or make better use of analytics.
Most of these successful companies know their data, have it under control and make sure every employee can get the most out of the data (including personal data). A data and information mgt. gap analysis will therefore often result in a significantly smaller gap than their competitors & peers who haven’t invested in data & information mgt. .
The higher your data & information management maturity – the lower your effort to becoming GDPR compliant.
Nevertheless, it’s not because a company has a higher maturity in terms of data & information management – that it’s automatically dealing with data privacy and data protection in a (more) compliant manner.
The analogy of the boat & polluted water.
In order to explain the data and information gap, affecting the size of your implementation effort, we’ll use the analogy of a boat & water.
Imagine a company represented by a boat which sails to different destinations to run it’s business.
This boat sails on a river which is very much polluted and has been for years now (with every year facing an increasing level of pollution).
The water of the river represents the data – the pollution represents bad quality data & data not being managed or not under control – but nevertheless crucial to keep the boat (business) running.
The boat managers don’t necessarily know about the severity of pollution – as the vision and strategy of the boat company is about getting to the right destinations as soon as possible and reaching more destinations over time.
Using bigger and more powerful engines to achieve these goals might increase the cost but as long as the goals are met (more destinations are delivered) – there’s little reason for doing anything about the water.
What the captain and it’s management don’t necessarily see is that below deck a lot of local hero’s are continuously removing the dirt in front of the boat to keep it moving (local hero’s continuously working to get some of the data fixed to be able to move on – knowing the same problems will occur again soon).
From time to time dirt gets into the engine and a problem is reported, but as this is usually fixed soon (bypassed) it’s back to business as usual and the core problem is not dealt with.
Some people on the boat and a number of visitors (data & information mgt. professionals) see the risk and understand the problem (and opportunity).
They try to convince the boat crew that cleaning up the water would save them time & money, facilitate operations and insight and ultimately add to reaching the boat company’s targets but it’s difficult to make the business case as the investment mainly allows for indirect and medium to long term gain.
A new legislation…
Recently however, the government created a new legislation – forcing the boat companies to cleanse the water – as the government realized people were actually swimming in this polluted water and they were getting sick of it. (cfr. data subjects suffering from lack of data privacy and data protection).
The government has been telling this to boat companies for over 20 years, but with the new legislation it will be able to impose severe fines so most boat companies will be forced to do something about it.
Fixing a problem that has expanded over time (more water and river branches (big data), more rivers and more pollution) is not an easy task and the gap to overcome for (boat) companies that have never done anything in terms of this pollution (data) is huge.
Fortunately a number of companies have already started reducing some of the pollution over the last few years and luckily some smart people are coming up with solutions to accelerate the clean-up.
Companies have until the 25th of May 2018 to get the water cleansed & can expect fines from then on.
Some have started & some are only focussing on the big debris, but forgetting the fact that even if the water looks clean it can still be unsafe (poisoned).
The analogy with the boat and polluted water allows for an easy explanation and understanding of the immense gaps and efforts companies are facing today.
It also indicates that the 25th of May is not an end point – as the government isn’t looking for a one time clean-up but for a continuous clean river with good quality water – allowing data subjects to swim safely.
You’re not alone.
DataTrustAssociates can help you clean up the water and make sure it serves more than just GDPR compliance – benefitting from the this effort, rather than investing in risk mitigation only.
The DataTrustAssociates team of (DPO certified) resources are eager to help your business on it’s journey of GDPR compliance, reusing your previous investments and applying a very practical approach reducing GDPR maintenance effort & costs (after 25/05/2018).