By Chris Gayner
Speaking with Data, Compliance and Legal experts in global businesses, a question that many are grappling with is: What is the Total Cost of Continual Compliance over the coming 3 years?
This is an important question as it helps define the strategic approach to solving continual compliance, post May 25.
We anticipate, based on our conversations, business leaders are expecting continual GDPR compliance to cost over £10m over three years, as a conservative figure.
The £10m problem
Two new data points have hit the headlines over the past few weeks.
The first article suggests that "three in five [UK Citizens] plan to question how much data businesses hold on them".
The second, a new study, has found that “large enterprises expect to get an average 246 GDPR enquiries per month, for which they will need to search 43 databases (seven minutes per search). They will spend more than 1,259 hours on this, which equates to nearly 60 hours of searches per working day or 7.5 employees dedicated solely to GDPR enquiries".
What the study fails to account for is the fact that many organisations, stricken with various InfoSec policies and procedures, simply cannot handover logins and access credentials to Financial, Human Resources or Email systems to this small team.
Thus, there is an additional knock-on effect that needs to be factored in when this small team must search for Personal Information in response to Data Subject Requests, which will involve various key stakeholders (who do have access permissions to various systems) from across the business, distracting them from other activities.
The study also assumes data is housed in a structured, ordered, modern database such as a CRM or sophisticated billing system. The length of these requests ratchets up significantly when you start to factor in legacy systems, standalone applications and unstructured data sources like emails.
Personally, I think the number of FTE that is realistically required to handle the anticipated number of enquiries is closer to 20 FTE (in a large enterprise) – which will naturally spike and dip across the year (meaning utilisation of this team will also vary). The average cost of a UK based Analyst sitting in a GDPR team is around £40k a year, equating to about £2.4m over three years (plus all other expenses around overheads).
In addition, many organisations which have defended old, faithful legacy data management systems are now being forced to either upgrade to more modern, more accessible, more secure tools or use ‘Human APIs’ to act as the bridge between disparate systems across their technology stack.
On paper, the decision to upgrade systems is a no-brainer, however, in reality, there is no singular technology that can help companies get compliant, and stay compliant – and thus businesses need to evaluate a broad range of tools such as Master Data Management (MDM) systems, IP anonymisation tools, enhanced encryption and security systems / protocols and a variety of other enterprise tools that in themselves can cost anywhere from £1m - £3m per year (around £9m over 3 years) for the technology PLUS the costs associated with implementation, change management and disruption to business operations.
Finally, the most critical aspect to Continual Compliance is data. Large enterprises that have grown inorganically, i.e. through M&A activity and even organically (housing data in different locations across their business) will have Frankenstein-like infrastructure and data across their business. Mismatched Customer IDs, names, addresses, dates, contact information etc needs to be effectively standardised or tagged before going into any of the systems mentioned above. Tools such as MDMs often come equipped with the ability to pull various records into a ‘Golden record’ (single view of a person) from across various structured data sources, but often fall down when it comes to unstructured data (such as emails or chat communications).
Further, a lot of organisations I am speaking with have a big challenge around dark data or worse, paper-based data – which now needs to be scanned, tagged and stored in a secure location to effectively meet the 30 day turn around for Data Subject requests.
I’ve stopped counting the costs past the technology element as we already hit the £10m mark, but as you can see – it will, most likely, be a lot more than £10m to effectively solve GDPR requirements.
Automation as a cost-effective approach to a staging your transformation journey
Considering the £10m challenge, business leaders are seeking to understand the priority order in which to launch the series of technology and capability projects across their business. But it is too often a story of not being able to see the forest for the trees – many simply do not understand the scale of challenge and the implications for their business (e.g. if they received 10 requests for information tomorrow, could they turn them around in 30 days? What about 100 requests in a week? What about 1,000 in a month?).
Automation tools, when connected with other technologies, offer a cost effective (albeit, medium term solution) for managing and tracking data requests. These tools can be deployed from a central location, house access permissions in a secure / encrypted manner and ensure all requests are initiated as soon as received. The digital nature of automaton also offers companies the opportunity to digitise the front end of the Data Request Process – with a view of creating a zero-touch approach for scanning, matching, retrieving and compiling of information across a disparate real-estate of systems – structured and unstructured.
Naturally, there is a bell-curve effect with automation technologies in which upon reaching a certain magnitude of connections into systems, the automated solution will require an increased level of management and monitoring. However, business leaders who are faced with a shopping list of required investments over the coming three years and need data points to support prioritisation, automation should be viewed as a cost-effective approach for not only handling some of the immediate requirements of GDPR, but also as a way of informing a wider transformation programme.
About Chris Gayner
Chris Gayner is the Director of Symphony Labs, a contributor to The All-Party Parliamentary Group on Artificial Intelligence (APPG AI) and commentator on all things related to the Autonomous Business. He is a big believer in the power of technology + people to overcome critical business and societal challenges.