You know that this is a privacy-related forum?
Members who want stronger protections in the GDPR are not a sign that this is a “tin-foil” community.
5 Likes
@anon86365830 I’d suggest finding a way to express yourself more constructively and respectfully.
implying that those who do not share your interpretation of a law are unserious conspiracy theorists (“the tinfoil brigade going insane”) is not useful (or persuasive).
If you disagree with people in this thread, your energy would be better spent by explaining your disagreement, and supporting that with evidence or an explanation of your reasoning.
10 Likes
I do not think we will have a full scope until they release the suggested changes.
An example of costly compliance is how a “child” is defined. GDPR sets the age of digital consent to 16 years old as default but there are several countries who chose to modify this as is there current legal right.
The UK (might have changed after brexit) Denmark, and Sweden set this at 13 years old.
France and Italy are 14, while Germany and the Netherlands set 16 (or keep default). This means you need to have different rule sets and how you handle this data per region.
As I annotated the UK uses to be 13 but with post Brexit changes and the large social media initiatives this may have changed. This only reaffirms there are additional costs that could occur by assuming one is correct without actually knowing for certain.
We then have legal complexities, technical overhead, and even risk of non compliance. You would then need parental consent tools that were modular in order to comply per region and possibly needing a region specialist to maintain knowledge of local requirements. Coming from a background in compliance, this can be extremely difficulty to maintain without at least one dedicated compliance manager.
This is not always affordable to companies and easy to make mistakes with only one person in charge of ~27 countries with some local challenges including localization . This is one example I can provide as of now that could potentially be improved on to make it easier to be compliant without making any sacrifices to some and minimal to others regarding privacy.
I am quite interested in this particular subject as I will be following it fairly close.
edit: I made some spelling errors
1 Like
I agree on some points. EU regulations often include “opening clauses” that let member states implement aspects differently, creating inconsistency despite being intended as uniform law. The GDPR exemplifies this problem with its roughly 50 opening clauses, needlessly complicating compliance for companies. I believe the EU should unify certain clauses to simplify the law while maintaining its strong data protection standards.
1 Like
Thank you for clarifying, especially for folks like me who never had to deal with these compliance costs…yet.
How expensive are current compliance costs under the GDPR’s current state? Does it just mean retaining a compliance manager and legal counsel on the payroll or would auditing costs also play a factor in it?
Well, costs vary by company size, location, and industry.
As someone said on Bluesky, Cambridge Analytica was only 150 people company, yet the dammage it did was huge.
Haha shit that argument i forgot to include!
Also good to mention which i didnt include is that the GDPR already has some excemptions for companies. For example not all organisations need to appoint a data protection officer. This is not bases on size but on the activities. A DPO is mandatory if:
- The organization is a public authority or body
- The organization’s core activities involve large-scale, regular, and systematic monitoring of individuals like tracking or profiling.
- The organization processes large-scale sensitive personal data such as health data, racial or ethnic origin.
1 Like
Compliance costs vary significantly on several factors including company size, how many member states they need to be compliant to, customer facing applications, and what data needs retention for their services.
I previously worked at a company that made their money by tracking customers and using their data to increase their sales. We had a department called Data Capture and needed to maintain compliance but found themselves failing to keep data secure. So we began am overhaul of the systems in place and with quite some details which could help understand the cost for this small to medium sized company (~250 people).
GDPR Compliance Costs
Data Mapping & DPIAs: Triplog geolocation data requires country-by-country in-depth data protection impact assessments. $100,000–$200,000 annually depending on localization changes.
Training: GDPR role-based training for all staff must be provided in multiple languages. At ~$300 per employee, that’s another $75,000
Data Protection Officer (DPO): Required at this scale. An internal DPO is $100,000–$200,000 annually, or potentially outsourced for $80k.
Technology: Secure app/portal functionality (encryption, consent management) is $400,000–$600,000 per year. The initial cost to get encryption keys and proper storage to scale was ~1 million.
Legal: Complying with ~25 nations’ laws and regulations added $80,000–$120,000 per year based on what changes occured
Total GDPR: ~$750,000–$1.2 million per year and costs can skew lower with pre-existing secure systems, or much higher if technology or policies require overhauls.
On top of all this we also needed to comply with standards and regulations to prove we had systems in place to keep the data safe and secure such as ISO 27001 and Cybersecurity Act (CSA).
ISO 27001 Certification Costs
ISMS Implementation: An Information Security Management System (ISMS) for the app/portal was ~$150,000 per year to maintain
Audits: Certification audits were about $50,000 and annual checks $20,000–$60,000 depending on reported violations found during inspection.
Training: ISMS training is $25,000 for this setup.
Security Controls: App/portal upgrades could cost $100,000–$200,000 based on what changes were being implemented
Total ISO 27001: Around $345,000–$500,000 per year
This cost may be higher than other based on country location
1 Like
Regardless of some parts of this which I would challange. What is exactly problematic about it? This limits cowboys from doing shady stuff with our personal data without thinking. It requires some more maturity from organizations wanting to take such responsibilities with our personal data.
1 Like
I did not say there was an issue other than high costs to maintain compliance in response to the question from above. I was providing real world cost with my own experiences.
1 Like
got it, I just think it shouldn’t be an argument for not having it, that’s all.
I have never dealt with GDPR compliance so it is very possible that it is overly burdensome. That being said it seems to me if companies weren’t as obsessed with collecting absurd amounts of PII then compliance would be easier, such as if E2EE was used by default (where possible).
Additionally, I’m concerned about any honest attempt by some to modify the GDPR for the purpose of simplifying compliance being used as a Trojan horse to water down the protections offered by the GDPR.
6 Likes
Exactly. Not collecting user data is way cheaper. And you can still do it anonymously for a fraction of the price.
2 Likes