FTSE and Fortune firms will spend on average £430,000 and $1m respectively on technology alone to ensure compliance with the upcoming General Data Protection Regulation (GDPR), new research by international law firm Paul Hastings has shown today.
The survey of 100 FTSE 350 General Counsel (GCs) and Chief Security Officers (CSOs) and 100 Fortune 500 GCs and CSOs reveals that the biggest allocation of budget set aside so far to comply with GDPR is for technology. The mean technology budget set aside for FTSE firms is £430,000 and for their Fortune counterparts it is $1m.
Despite these large sums of money being allocated, only 10% of firms in the UK and 9% in the US have currently purchased new technology, meaning many firms have yet to start this potentially lengthy process.
Behnam Dayanim, partner and global co-chair of the Privacy and Cybersecurity practice at international law firm Paul Hastings, said: “Our research shows that, while large businesses are taking GDPR compliance seriously, there remain worrying signs that they may be falling short in planning for implementation next May. £430,000 or $1m may seem a large sum, but, for many larger and more complex companies, it reflects a small portion of the technology and other costs that ultimately may be required.
“The GDPR is high-stakes. The consequences of violation can be immense, both in terms of fines and in potentially crippling disruption of a business’s ability to exploit what in many instances is its most valuable asset. And the clock is ticking. GDPR compliance can entail substantial revision to existing procedures and systems. Companies that haven’t yet begun already may find themselves in difficult straits come May; certainly, those that have been dragging their feet would be well-advised to strap on the running shoes and try to catch up.”
The EU’s General Data Protection Regulation (GDPR) is coming into force in May 2018 and will affect any business which controls or processes the data of EU citizens, regardless of where the business is located. As part of the wide-reaching regulation, businesses can be fined up to 4% of global turnover should they fail to comply with GDPR.
Surprisingly, 17% and 22% in the UK and US, respectively, said there was no budget for third party legal support, something which will be important for businesses before and after GDPR is introduced.
Firms are also setting aside budget for additional permanent staff to meet regulatory demands. Of the FTSE firms surveyed, 40% have set aside a budget of between £201,000-£400,000 for additional permanent staff, and in the US 34% have allocated between $501,000 and $1m.
