Insights/Case studies/Newsroom/CareersCareersCareersPartnersConsultantsTechnology innovationCorporateEarly careersSearch Jobs/About us/Contact us Global locations

Search paconsulting.com
  • Phone
  • Contact us
  • Locations
  • Search
  • Menu

Share

  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page
.
 
Close this video

Into the unknown – determining the cost of GDPR

By Saurabh ghelani, PA data protection and gdpr expert

All of the recent conversations I’ve had around data and privacy have led to the same conclusion – despite the EU’s General Data Protection Regulation (GDPR) being ratified nearly a year ago, organisations are only just beginning to determine how GDPR impacts them or how much it’ll cost to implement. And the longer they wait, the worse shape they’ll be in.

There is no right or wrong approach to determining the budget for implementing GDPR. But an approach needs to be chosen – and soon.

So what does this mean in concrete terms?

GDPR requires organisations to comply with the legislation and report data breaches. And it’s the senior management who are in the firing line if this doesn’t happen.

But given the size, scope and complexity of GDPR, there’s a risk the regulation will become a black hole for resource. And in an environment where profits are already squeezed, no-one’s keen to be accused of investing unwisely. Given the current maturity of the financial services businesses we’ve spoken to and where these organisations need to be by May 2018, they’ll need to substantially increase their investment to implement the legislation in time or risk being caught out by the regulators.  

EU GDPR

The EU GDPR: Just a 'tick in a box' or an opportunity to create value?

Find out more

So where do you start when the end isn’t clear?   

GDPR is the first of its kind data protection regulation. It has far-reaching impacts – beyond the industry, geographic or technological borders of its predecessors.

So understanding how to budget for GDPR implementation is a challenge. A starting point is to perform a gap and impact assessment which will define the relevance of GDPR, and a firm’s current maturity against it.

When we recently worked with a Tier 1 British bank and a leading consumer financing business in the automotive industry, we followed an approach where the priorities were defined first, and followed by investigating the unknown dependencies and elements. This approach supported allocation of effort and resources, and delivered tangible quick wins.

 There are four key categories to determine:

  • Known knowns – the things we know

  • Known unknowns – the things we know we don’t know

  • Unknown knowns – the things we don’t know we know

  • Unknown unknowns – the things we don’t know we don’t know

That last category is the killer as the ‘unknown unknowns’ pose a significant challenge to plan and budget for. This is especially true when it comes to performing IT system changes to comply with several GDPR requirements, e.g. privacy by design, changes in consent models, enabling individuals’ rights management and safeguarding personal data assets. You’ll need to conduct extensive deep dives into your organisation’s technological ecosystem to determine the changes required to comply with GDPR.

Addressing these challenges and unknowns will require flexibility from your organisation and senior management in terms of allocated resource. And it’s essential that a significant portion of your budget is set aside to address the ‘unknown unknowns’.

Find out more about our work in Financial Services.

By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.

×