Given the near ubiquity of GDPR fear, uncertainty and doubt — and the ink spilled over complying with it (not to mention the untold consulting dollars spent doing so) — at first blush, the idea of just ignoring GDPR might seem crazy. After all, fines can reach as high as 4 percent of global revenue, which for Fortune 500 companies can easily reach into the billions annually.
There’s no way a firm would willingly and deliberately risk these kinds of fines. Or is there? What if the cost of complying (if we could quantify it, including loss of market share, agility, new markets, etc.) exceeded the fines? And what if the cost of compliance (and all that goes with it) exceeded the fines by orders of magnitude? Would we comply, or would we just keep doing business as usual and eat the fines as “the cost of doing business?”
This is a hard question to answer because, in my experience with firms wrestling with GDPR over the last two years, almost none of them have quantified the cost of compliance and weighed those against the cost of non-compliance.
And forget GDPR, pick any compliance requirement, such as HIPAA, SOX, etc. How many firms have quantified what the costs of complying are and weighed them against the costs of non-compliance? I would hazard a guess that close to none have. (Let’s be real, it’s none.)
Here, we’ll dig into the categories of effort and cost for broad GDPR compliance and then ask ourselves whether we would come out ahead if we just did nothing and accepted the cost of fines associated with GDPR non-compliance.
Categories for GDPR Compliance
In my opinion, the GDPR requirements can be rolled up into three very broad categories:
- Chief Data Officer: Appoint a C-level officer that owns data at the firm.
- Right to be Forgotten: When an EU citizen customer or employee requests that a firm delete all their personal data, they do it.
- Data Portability: When an EU citizen customer or employee requests that a firm provide all their personal data in an acceptable format, they do it.
What It Takes to Meet the GDPR Requirements
To meet these three broad requirements, at a minimum, a firm must address the following:
- Individual systems: Re-engineer/re-architect to allow for identifying data by EU citizen/employee.
- Integrations: Re-engineer/re-architect to allow for removing or exporting EU citizen/employee data.
- Staffing: Hire a Chief Data Officer.
- Process: Design and implement processes required by GDPR to respond to EU citizen/employee requests and report on “misses.”
So far, so good. Now let’s take a high level look at what it would really take to comply.
Costs of GDPR Compliance
First, it takes dollars. Many of these core systems affected by GDPR are 20 to 30 years old, running on mainframes, with little to no documentation on how they’re built, and incredibly painful to update.
Second, the effort from internal and external resources will be huge (even if you can find folks who know the hardware and software your systems are running on).
Third, your operations will have to make a sea change to be compliant, requiring a massive restructuring of the established ways of working.
Fourth, change management will be daunting, because you can’t change core systems and the way folks work day in and day out without managing change skillfully — not a strong suit at most organizations.
Given the scope and scale of these changes, we can return to the question that inspired this post: Would it be less expensive and risky to just accept GDPR fines and continue business as usual?
The Net Net
The answer to this question will be different for each firm, of course. But let’s use an extreme example: Facebook. If Facebook complied with GDPR, they would have to not only hire a Chief Data Officer (chump change for them, for sure), but also re-architect all their systems to allow them to remove all user data for an individual as well as export all data for a given user within the timeframes set forth in GDPR, without breaking other systems in the process.
For example, if I request to be forgotten, what happens to my interactions with other Facebook users who haven’t requested to be forgotten? Do my comments just disappear? What happens to their tags of me in their posts? Photos they posted with me in them? Can they remove a person’s posts because a person in them asked to be forgotten? What about likes? Shares? Direct messages? Posts viewed? How would Facebook determine this? And once they did, how would they implement it (in the timeframes dictated by GDPR)?
And given that selling user data drives nearly all their revenue, what’s the value of losing the revenue stream associated with the 1 percent, 5 percent, 10 percent or more of their users who ask to have their data purged from Facebook’s systems? Would it be more than 4 percent of global revenue? I don’t know, but it’s a question worth asking, not only for Facebook, but for any firm faced with GDPR compliance.
The Ultimate Cost of Compliance
I’ll end with an example from health care. A few years back, health payers were scrambling to comply with a regulation concerning mental health parity. Some of them spent up to two years and millions of dollars to re-engineer their systems and processes to comply, only to have the regulation withdrawn the day it was to go into effect. Money wasted. And what was the negative impact they were seeking to avoid? Somewhere in the neighborhood of six figures for most payers — so even if the mental health parity regulation had remained, would seven figures have justified avoiding a six-figure fine? I’m not a Chief Financial Officer, but I think not.
I would argue we’re in an analogous place with GDPR. The FUD factor and the hype have firms jumping through mind-bogglingly expensive hoops without considering whether the cost of complying is worth the cost of not complying. The right answer will be different for each firm, but my advice is to quantify both sides and make a sound business decision.
A version of this post originally appeared in CMSWire.