If you have been to any conferences lately, looked at privacy websites or spoken to your trusted privacy advisor, you have probably heard with increasing frequency the following tune: the May 2018 deadline for the GDPR is approaching fast, and you should be prepared and budget accordingly.
But what does this mean in concrete terms? Here are some tips on how to better estimate the costs of a GDPR project, breaking down the problem of budgeting into two clear steps.
First of all, what kind of changes should you expect?
The starting point for all budget planning is to understand the legal changes the GDPR will bring for your business. The GDPR brings a lot of changes for particular industries, for example, a change to the age that children can consent, which will be relevant for companies targeting children with their services or marketing. Other changes concern the definition of profiling and the right of data portability. Those types of changes have been described already in a lot of articles, such as the Bird & Bird Guide to the GDPR.
Of even more importance from a budgeting point of view is the fact that the GDPR takes a fundamentally different approach to how privacy should be managed in an organization. Instead of relying on notifications of processing to data protection authorities, there will be many more obligations on organizations themselves to document data processing internally and manage risk accordingly. Organizations are accountable for implementing those changes, and many will need to appoint an internal or external data protection officer. The roles of processor and controller will change to some degree, which will necessitate changes to contract templates and potential renegotiation of contracts with vendors. It is advisable to address those changes via a privacy program with a special focus on GDPR.
What will a typical GDPR project look like?
Typically, launching a GDPR project starts with a quite comprehensive privacy audit. The audit should look at least four areas of compliance: external communications, internal instructions, risk management and privacy processes, such as vendor management. External communications in this context means communications to consumers and customers as well as data protection authorities, commonly made through privacy policies or statements as well as consent forms. External communications need to be supplemented internally with instructions, for example by drafting a data-retention policy or policies regarding standard security measures. A very important part of any GDPR project should be risk management, in particular setting up a process that documents data processing and evaluates privacy risks. Where needed, this process will also lead to privacy impact assessments and subsequently decisions on risk by a competent body within the company.