If you have been to any privacy conferences lately, looked at privacy websites or spoken to your trusted privacy advisor, you have probably heard with increasing frequency the following tune: the May 2018 deadline for the GDPR is approaching fast,  and you should be prepared and budgeting accordingly.

But what does this mean in concrete terms? Here are some tips on how to better estimate the costs of a GDPR project, breaking down the problem of budgeting into two clear steps.

First of all, what kind of changes should you expect?

The starting point for all budget planning is to understand the legal changes the GDPR will bring for your business. The GDPR brings a lot of changes for particular industries, for example, a change to the age that children can consent, which will be relevant for companies targeting children with their services or marketing. Other changes concern the definition of profiling and the right of data portability. Those types of changes have been described already in a lot of articles, such as the Bird & Bird Guide to the GDPR.   

Of even more importance from a budgeting point of view is the fact that the GDPR takes a fundamentally different approach to how privacy should be managed in an organization. Instead of relying on notifications of processing to data protection authorities, there will be many more obligations on organizations themselves to document data processing internally and manage risk accordingly. Organizations are accountable for implementing those changes, and many will need to appoint an internal or external data protection officer. The roles of processor and controller will change to some degree, which will necessitate changes to contract templates and potential renegotiation of contracts with vendors. It is advisable to address those changes via a privacy program with a special focus on GDPR. 

What will a typical GDPR project look like?

Typically, launching a GDPR project starts with a quite comprehensive privacy audit. The audit should look at least four areas of compliance: external communications, internal instructions, risk management and privacy processes, such as vendor management. External communications in this context means communications to consumers and customers as well as data protection authorities, commonly made through privacy policies or statements as well as consent forms. External communications need to be supplemented internally with instructions, for example by drafting a data-retention policy or policies regarding standard security measures. A very important part of any GDPR project should be risk management, in particular setting up a process that documents data processing and evaluates privacy risks. Where needed, this process will also lead to privacy impact assessments and subsequently decisions on risk by a competent body within the company. Finally, privacy processes like incident management complement the audit needed to kick-off a privacy project.

After completion of this first stage, it is important to develop a roadmap of how to close any gaps. Implementing risk management within a company takes much longer than, for example, drafting a new external privacy statement. Based on the roadmap, teams consisting of relevant stakeholders should start addressing the issues. At this stage, it is also important to reserve enough time for training measures to roll out the new processes. 

What type of budget would I need?

It is hard to give an exact number here (if you insist: expect anything between 100 euros and a few-million euros), but there are four criteria that will influence budgeting:

The first criterion is the industry you are in and the data you process. Sensitive data, such as data relating to health, are regulated much more strictly under the GDPR than other types of data and will require compliance with additional obligations, such as conducting data protection impact assessments.

Secondly, the size of your company matters. The GDPR generally (with one prominent exception for documentation) has no less stringent requirements for small startups than it does for huge multinationals. Nonetheless, regulators have in the past focused their enforcement activities on companies that hold the data of many individuals and that have a prominent presence in the marketplace. It is also more burdensome to implement a privacy program in a big company as fundamental organizational change impacts so many more individuals, databases and processes.

The third, and maybe the most crucial factor for determining the required budget, is whether you are starting from scratch or whether you can build on an existing privacy program. The bigger and the more data-intensive a company is, the more likely it is that there is already a managed program. In that case, you will have to plan for the running costs of the program and some specific changes to the program, such as the revision of contracts, the management of risk with vendors and other privacy processes. Should you not have a privacy program, you will have to plan for one, including potentially hiring new staff to run such a programme.

Finally, a major cost driver for a GDPR project is the question of whether you need to invest in new IT systems. For example, for any processing which depends on consent, your organization will need to work out the discrete elements of processing and offer separate consents for those elements. This will impact the choices presented to the user — but the system must also be able to reflect these choices in order to honor withdrawal of consent.

All of this can seem overwhelming. Remember that the GDPR is uncharted territory for everyone and that planning an appropriate budget is the first step to ensure that you retain your competitive edge.