By Paul McCormack, Vice President of Privacy Law Innovation at Privitar

It’s no secret that data compliance has become increasingly challenging. You only have to look back at the past 4-5 years and we’ve seen evolutionary (and in some cases, revolutionary) changes to data compliance laws and regulations around the world such as the EU / UK General Data Protection Regulation (GDPR). The GDPR became effective 23 years after its predecessor (the EU’s first privacy law, the Data Protection Directive, which came into force in 1995), bringing data privacy and protection law in line with advances in both data and technology, whilst attempting to harmonize what became a confusing patchwork of inconsistent country laws across each EU member state. 

The GDPR’s enactment in 2018 also triggered a chain reaction around the world.  It became a catalyst and inspiration for changes to existing laws and in some cases, brand-new laws in countries around the world. This includes countries such as Brazil, South Africa, Australia, Switzerland, Saudi Arabia, the UAE, and the United States of America (by way of state-specific privacy laws such as the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA)). 

This global overhaul is a positive step forward to ensuring continued recognition that privacy plays a central role, but there is also increased inconsistency– and with inconsistency, comes complexity.

99 problems, but simplicity ain’t one
Data privacy laws and regulations are highly complex. Take the GDPR as an example. It comprises 99 articles, spread over a 78-page document. It also needs to be read in conjunction with supporting guidance issued by the European Data Protection Board (formerly the Article 29 Working Party) as well as court decisions (both across the EU and at a country level) plus guidance and decisions taken by country-level data protection authorities. It’s easy to see how data compliance has become unwieldy and unmanageable.   

For many companies, there is an increasing commercial, risk and compliance need to get up to speed with data compliance requirements of new countries which they may not have had previous dealings with (e.g. via organic geo-expansion or where acquiring existing businesses operating in the country). To understand what they’re getting themselves into, companies must perform diligence to determine what data compliance requirements apply when operating across multiple countries. Given the lack of harmonization around the world, this task isn’t easy. 

If companies don’t have a scalable and sustainable way to keep up with the differing requirements, compliance becomes complex, operationally expensive, and time-consuming. Risks begin to emerge.

With the rapidly evolving legal and regulatory landscape, organizations have added reactively to their compliance frameworks and knowledge base, whether that’s people, processes and/or technology. A trend and pattern appears to have emerged in the form of reactive compliance and sluggish hard-coded decisions due to many constraints businesses face (e.g. resources, time, cost, and volume of requests).  The net result is that businesses find it challenging to operate in an agile and forward-looking manner.  They’re then left with no other option but to look to outside support (e.g. from professional services/law firms) to keep the metaphorical data compliance lights on.

While every organization has differences, one common trait seems to be that there is a frequent lack of retained knowledge (i.e. ongoing corporate memory) and knowledge gaps that with attrition or lack of bandwidth, must be filled or updated. This has an impact on the ability to understand why, when and what decisions have been made. This is problematic for many reasons, not least the inability to link changes in legal and regulatory requirements with ongoing data projects that require review in light of the new requirements.  

All of these pain points are exacerbated by the fact that data professionals speak a different language to that of the legal, risk, and compliance professionals responsible to advise on matters pertaining to data privacy and protection. 

The lawyer or compliance professional needs to understand what data is going to be part of a project, who it relates to, where it is going to be stored and/or accessed, what it is going to be used for and from where, and which stakeholders might be involved. From here, they are able to determine the permissibility of doing the project, what controls or protections might need to be applied (e.g. data minimization), and what the implications or penalties might be for getting it wrong or failing to comply. 

By the time the analysis is complete, the findings are quickly outdated; the time and cost involved may soon need to be repeated to keep abreast of changes in the law/regulation or to support modifications to the project. 

This process has become nearly impossible to sustain and problematic to scale. 

The cost of compliance
When measuring compliance costs, many companies consider their yearly spend by looking at the costs associated with their internal people, technology, and external professional services providers. For most companies, the cost of compliance steadily increases year on year. 

When considering reviews and analysis of data projects (i.e. diligence of data project specific data compliance requirements) companies typically spend around £5-10k per country (depending upon the complexity of the project, of course).  This would mean that for a project involving 10 countries, this will cost around £50k.  The deliverable of this is as good as the day it is delivered due to the changing legal and regulatory requirements, meaning it may quickly be outdated and therefore requires regular updates (of which there is typically no budget to keep re-doing the work).  The end product is also often underutilized, with the knowledge and information being retained by limited stakeholders.  

In a world of bottomless budgets, this method and approach could be sustained, but this is sadly not the case. For example, research by Thomson Reuters (Cost of Compliance 2022: Competing priorities report) found that for most compliance functions, they are expected to do more with less. This comes against the backdrop of increasing laws and regulations around the world, meaning that whilst the cost increases, the budgets are not correlating as they should. Given the current economic climate, we’d expect this to be no different throughout 2023.  

As well as the visible and quantifiable compliance costs, there are other financial impacts when considering data compliance. This is the opportunity cost. Frequently, we see projects that end up failing because the easy and conservative answer is simply, “No.” Against the backdrop of decreasing budgets, increasing demands, and limited resources, it’s understandable why a defensive and conservative posture may be adopted; this can equally have disproportionate longer-term effects (e.g. limiting decision-making, innovation, and growth). 

In this context, using data is a risk. But the risk of not using your data (in a safe and compliant manner, of course) can be so much greater. 

Removing the bottlenecks and uncovering data opportunities 
By efficiently understanding what you can and can’t do with data, legal and compliance teams can focus on and prioritize strategic goals and move away from the routine.

This enables companies to move faster in consuming/using data, thus opening up opportunities by unlocking the holistic value of data. They can redirect their legal and compliance teams on higher-risk items while enabling the data teams to scale by removing the bottlenecks and barriers. Knowing how much you’re spending on data compliance will allow you to benchmark and consider how best to manage costs, and therefore get the most value.

So how much is data compliance costing your organization?

Answer three simple questions using our new data compliance calculator and we’ll help you quantify how much time and money you could be spending on data compliance today.

Compliance Data Privacy GDPR