Change is expensive. Revising the way things have always been done to meet new requirements is always going to come with a cost. The General Data Protection Regulation, a massive disruption to the status quo and a game-changer, to wildly understate it, for not only the EU but also anyone doing business there, is certainly no exception. In fact, the IAPP and EY estimated in a 2017 Privacy Governance Report that Fortune's Global 500 companies will spend roughly $7.8 billion on GDPR compliance, for everything from staffing-up to modifying products and services. 

What wasn't obvious, though, was that vendors would swiftly pass along their own GDPR-related compliance costs to existing customers. But it seems to be a trend privacy pros are increasingly seeing.

Such was the case for Rita Heimes, CIPP/E, CIPP/US, CIPM, the IAPP's data protection officer. In going through the organization's compliance checklist, Heimes approached a vendor, one it has a long history of working with, for a data-processing agreement in order to comply with Article 28 of the GDPR, which specifies requirements for controller/processor agreements.

"They told us they would be happy to provide one to us if we upgraded to a premium account, but they wouldn't do it if we didn't," Heimes said. "This is not a massive contract for us, but it was essentially doubling the price of what we were paying."

In speaking to the service provider's sales person, Heimes pushed back. But the representative was unrelenting, claiming he'd spoken to his supervisors and been told affirmatively "the data processing agreement was only available if we upgraded." 

Because a data processing agreement is a standard document that can be drafted once and replicated many times over, Heimes felt the requirement to upgrade, and the subsequent cost increase, was a bit extreme.

"I felt very taken advantage of and held hostage," Heimes said. "They really had us where they wanted us, and we were faced with either proceeding with them in not having our appropriate Article 28 documentation in place or paying them more to come into compliance. But we decided our legal compliance was more important to us than a few thousand dollars. But it made an impression on us that the cost of preparing the Article 28 compliance document was being passed along to us."

Heimes isn't the only one having those kinds of conversations. Amanda O'Keefe, CIPP/US, CIPM, is senior vice president and assistant general counsel at Citi. She thinks it's nonsensical for vendors to be passing compliance costs on to customers. She said vendors should be looking to the strictest legal standards and building products and services that comply. 

"Data protection laws are not going away," she said. "If the GDPR is going to be the baseline, that should factor into product offers and cycling." 

It'd be one thing if Citi were to choose to use a vendor that doesn't typically cater to financial services, O'Keefe said, and so wasn't geared toward GLBA compliance, for example, or regional data protection laws. Then, sure, charge a premium for special add-ons. But "if you're targeting a market that has particular compliance obligations," like selling software to the health care industry, for example, "you better offer a service that's HIPAA compliant without an up-charge." 

O'Keefe said it's often in conversations happening at the outset, when a new work order is written up or a contract needs rewording, when the vendor mentions an increase in cost for GDPR compliance, with the logic being, "It costs us more for our services to be GDPR compliant in order to ensure that you're GDPR complaint." But, O'Keefe said, she's seeing vendors quickly back down once she pushes back. 

"In most of these situations, if they're a hosting service doing data processing, and we're the type of client they have, they can't be a data processor for these types of organizations if they're not GDPR-compliant, and that's the discussion we have with them: 'You have an independent obligation to be compliant or you can't offer this service,'" she said. And that's pretty hard for them to argue with. 

Another argument that seems to work? "Your competitors aren't charging for GDPR compliance." 

That's the tactic Jennifer Garone, CIPP/US, CIPT, FIP, formerly privacy, security and data governance senior risk manager at Microsoft and now data privacy director at Holland America Group, often found herself using at Microsoft in such situations. 

"Now with GDPR, [vendors are] feeling like it's a money-making opportunity," she said. "But the pushback to them would be, 'Well we're not the only ones asking you, and we know for a fact we're not the only ones asking you for this, so why should we pay more for something you're legally obligated to do?' And sometimes for us it was just the principle of it: No we shouldn’t have to pay more for something that’s really a cost of you doing business with a multinational corporation." 

Alex Wall, CIPP/E, CIPP/US, CIPM, FIP, is privacy counsel at Marketo, a marketing engagement software company that does business worldwide, and said that kind of logic makes sense to the company as a service provider, itself. Its competitors aren’t changing prices, so it wouldn’t make sense for the company to do so and run the risk of customers walking.

In his own dealings with providers, he said he hasn’t experienced the same kind of cost increases for GDPR compliance. “I go through a lot of vendor contracts,” he said, “and I haven’t had any say that to us.” He added that generally he requires that vendors show they’re using GDPR-compliant terms in contracts. “And then they usually either agree or push back and we end up debating about the terms, but rarely do they ever ask for more money,” he said. 

He added he is aware of a vendor that was charging extra money for a business associate agreement and another that wanted customers to upgrade to an “enterprise agreement” for a DPA contract. But, “Marketo doesn’t do it. It really goes against our ‘customer obsession’ company value, and it doesn’t make sense to charge someone extra in order to adhere to obligations that apply to both parties, so it just doesn’t fit with our ethos.”

Despite the headache and cost associated with these kinds of changes, it aligns with what Heimes expected a change as major as the GDPR to bring. 

"This is proof in real time where the cost is clearly being not just incurred by one company, but they’re trying to recover it by passing it on to their customer, and I just think that’s probably happening in more subtle ways also," she said. "Privacy law is great, but it is not free." 

Photo credit: Visual Content via photopin