Preparing for the GDPR – Why you need £15m or £300-£450 per employee on average to implement the GDPR
As the May 2018 implementation deadline for General Data Protection Regulation (GDPR) looms, more and more firms are gearing up to be ready. But how much will it cost them to achieve compliance?
£15m on average for a FTSE100 firm, as it turns out – based on our in-depth analysis of publicly available data of FTSE 100 companies and Sia Partners’ experience of supporting firms in the UK and in Europe on achieving GDPR compliance.
In this article we dig deeper into this analysis to see what lessons can be drawn for firms, including those outside the FTSE100, on the size budget they’ll need.
A closer look at the estimated GDPR budgets for FTSE100 firms
Clearly not all firms within the FTSE100 index will likely face exactly the same investment, as size, IT system complexity, number of products, service lines and a whole host of determinants will vary from one firm to another.
However, some observations can be made. Looking at firm size in the first instance, we find two key observations.
- Implementation costs increase with firms’ size. While hardly surprising, it is noticeable that the increase is non-linear and the spread of potential budget increases quite markedly against firm size, showing that the GDPR implementation is clearly impacted by an increasing number of factors as firm size increases, but also shows that the effect of these varies depending on industry, size and history. However, it is clear that budgets do reach significant magnitude already for firms with over 5,000 employees.
- The minimum and average implementation cost per employee is consistent across firm size, with implementation costing £300-£450 on average per employee across all sectors. However, the maximum seen from an individual firm decreases markedly, as firms size increases beyond 10k. This is a result of the maximum figures tending to be outliers within a tightly clustered group, with the biggest outliers being large insurance groups and oil & gas firms. This further reinforces that the £300-£450 implementation cost per employee is a good gauge to use for firms in the first instance.
Considering implementation cost by sector we can see four additional findings.
- Within the FTSE100, banks are the group with the highest expected spend. Average implementation cost per employee is consistent across firms. This is probably unsurprising given that banks tend to serve a wide range of customers (from retail to supranational), offer a very wide range of products and services and tend to have complex webs of legacy IT systems – all factors that feed into our methodology.
- Average spend per sector (except banks) is clustered around two distinct levels: approximately £15m-£19m for energy, commodities & utilities, retail goods and technology & telecommunications, with all other sectors clustered around the £5m-£11m level.
- Large insurance groups face a disproportionally high average per employee implementation cost. They also have the highest maximum spend within the category, pushing up the average value to the highest of all sectors.
- Based on the above, we can refine the estimate of the average cost of implementation by company size (£300-£450 overall), and clearly see three key outliers (i.e. banks, the energy, commodities & utilities firms driven by the big oil firms, and the non-bank FS firms).
Beyond the implementation cost
No matter the industry, the analysis clearly shows the significant budgets needed by firms (£15m on average) to avoid big fines (up to 4% of annual global turnover). For the FTSE100, the 4% of annual turnover fine would equate to a range of £800k for the smallest member and £7.1b for the largest.
To investigate this further, we have also analysed how many times over the potential 4% fine reflects the implementation cost.
On average, a fine of 4% of revenues (the maximum under the GDPR) represents 30-80 times the cost of implementing the GDPR in the first place. Within this range, energy, commodities & utilities and industrial goods & services stand out for their very high multiples of approximately 80. This primarily reflects the relative low cost of GDPR implementation in the first place, but also highlights that such programmes would offer great returns on investment for these firms.
At the other end of the spectrum we have the banks with a multiple of 13 on average. This is mainly a function of implementation costs being very high for these firms. Notwithstanding, this still highlights that the investment of compliance represents a decent return on investment in avoiding fines.
For the full methodology and approach used in the analysis or to help your organisation size and implement its GDPR programme, please email us.