Assessing the Cost Structure of GDPR Compliance Strategies

Written by

A recent PwC report stated that the GDPR is a complicating factor for the IoT. PwC asserts that every type of IoT device will need to be designed with GDPR requirements in mind. However, the report identified three types of IoT devices that need particularly strong security design constraints. These devices include:

  • Telematics insurance systems. Telematics insurance systems are used by insurance companies to track driving habits to set actuarial claims. However, PwC says that these telematics devices raise some serious privacy concerns. They may raise risks about sharing data with other insurers, which could violate the GDPR. Driving data could also be sensitive, so would need to be protected from hackers. 
  • Smart wearables. Smart wearables are also becoming more popular. PwC points out that the data from these devices could cause privacy concerns if shared with the wrong third-party companies. Patient health data could also be very dangerous in the hands of hackers. 
  • Smart home security. Smart home security is probably the most worrisome privacy risk for IoT users. Hackers that breach them could gain access to a person’s house.

Companies manufacturing or managing IoT devices need to be aware of all of the security risks involved, and ensure these devices meet the compliance standards of the GDPR.

Costs of Meeting GDPR Compliance with IoT Networks
The cost of complying with the GDPR is far from insignificant, and the cost can be even more expensive when having to secure IoT networks. A growing number of hackers are orchestrating hacks against IoT devices, as one poll showed 61% of businesses reported being victims of an IoT security breach.

All companies that are subject to the policies outlined under the GDPR should consider projected compliance costs and factor these costs into their models and budget accordingly. They can’t afford to skimp on complaints expenditures, because the consequences of failing to meet the requirements will be severe.

What are the costs of complying with the GDPR for Companies with IoT Networks? 
Every company that is subject to the GDPR is trying to accurately assess compliance costs. The cost of complying with GDPR requirements has been found to be $16 million for an average Fortune 500 company. Another survey found that 10% of top executives said GDPR compliance will cost their company over $1 million.

Four out of five companies with under 10 employees expect to pay under $50,000 on compliance. On the other hand, 92% of companies with over 1,000 employees expect to pay over $50,000.

These figures seem to contradict the earlier statistic showing that the average cost of GDPR compliance is over $1 million. The reason the average costs are so high is that many multi-national companies are paying exorbitant amounts of money to meet compliance targets. There are a couple of reasons for this:
 
Large multi-national corporations are more likely to be targeted by EU authorities for neglecting to meet compliance requirements. Since they have deeper pockets, they have fewer excuses for failing to abide by these standards. They are also more likely to have the assets to cover penalties, even if they are going to impose a strong burden. 
Large organizations are considerably more likely to be targeted by cyber-criminals. 

The costs for smaller companies are likely to be a lot lower. However, this does not mean that their compliance plan should be under funded.

What factors affect the costs of compliance? 
The following issues play a role in GDPR cost compliance:
 
Whether the company is a data controller or data processor - Although all companies are subject to the same penalties for failing to abide by GDPR requirements, the regulatory burden is higher on some companies than others. The law distinguishes between data controllers and data processors. Data controllers are primarily responsible for data protection, because most of it falls under their purview.

The regulatory responsibilities can be difficult to determine, because obligations are sometimes blurred. Multiple companies might play some role in controlling data, so they might attempt to relinquish any responsibility to other parties. However, the law will make a determination as to which organization is ultimately responsible. Companies that are deemed data controllers will have to exhaust more resources into compliance. 

The scope of data that will be collected - The amount of data that is collected will contribute to compliance costs. However, the range of data that is collected will play a much larger role. Companies will need to pay more for compliance if they:

  • Collect data on many different types of companies or customers 
  • Collect a wide range of data on customers 
  • Collects personally identifiable data that has not been anonymized 

The logistics of safeguarding data is going to be more complicated has the range of data expands. 

Whether data will be shared with companies outside the EU - GDPR compliance becomes more complicated for companies transferring data across international lines. If they are trying to share data with third-party companies located outside the European Union, then they are going to need to take extra compliance measures.

They will need to make sure their contracts with those companies include GDPR compliance protocols. The controller of the data will bear responsibility, even if the company outside the EU is the negligent party.

The lifetime of the data - Companies that retain data in definitely face much steeper compliance costs. They will want to consider minimizing data retention timeframe is to keep regulatory costs low.

What’s hot on Infosecurity Magazine?