Note: This is the fifth of an ongoing series on GDPR. We’ll be preparing you all the way to May 2018 on topics like: Privacy Protection and Breach Notification, GDPR Compliance Strategies, GDPR Enforcement and Penalties, Potential GDPR Costs, GDPR Auditing and more. Subscribe using the button on the right and you’ll be updated when we post a new article.
Today we will provide insight into potential costs of becoming GDPR compliant. We will also discuss some current news and hopefully clear up confusion that might exist as it relates to GDPR’s effect on businesses. As always, our goal is to make organizations aware of GDPR and how it will affect them.
The Cost Factors
In previous posts, we discussed the steps necessary to become compliant as well as potential costs of non-compliance, i.e. fines. But the costs we are discussing today include the cost of coming into compliance and of maintaining an ongoing GDPR program. It’s nearly impossible to put a price on what it will cost a particular company to become compliant. However, we can take a look at some the factors affecting costs.
The first determining factor is what industry the business is in and what data is actually being processed. Next, how large or small is the company? Smaller organizations may have an exception for documentation requirements, but beyond that, GDPR will generally apply to both large and small organizations similarly.
The third factor is where the organization is currently, as it pertains to privacy. What is already in place? Will the current process be used for GDPR prep or will there be an entirely new privacy approach?
The final cost factor is whether or not there have to be new IT systems implemented, in order to support the GDPR program. All of these factors will impact the overall cost to implement and maintain a GDPR program.
AI & GDPR
A growing trend in the technology world – and one that will definitely affect GDPR enforcement – is Artificial Intelligence (AI).
Many times AI is used to gather data from users and make decisions based upon that information. (A good example would be how banks gather personal data and make loan determinations.)
Before we talk about how AI affects GDPR, let’s first talk about GDPR “Recitals.”
Within the EU, Recitals provide clarity for how laws or regulations are to be enforced. They are not legally binding and cannot be enforced themselves. However, the Recitals are used by the Court of Justice of the European Union. In the case of GDPR the Recitals will be used by the European Data Protection Board to ensure the consistent application of GDPR.
So how does this relate to AI? Contained within Recital 71 there is a phrase — “right to explanation” — which pertains to data subjects. This means data subjects have a right to explanation as to why their information was used. In the example of a bank loan, data subjects could actually be entitled to know exactly why decisions were made. At times it can be hard for organizations to determine “why” AI makes the decisions it does and it could lead to confusion.
The best way to prepare for the enforcement of GDPR is to stay focused on creating the privacy systems and structures that will maintain compliance, as well as being aware of any changes in philosophies of what enforcement will look like when it comes. Understanding the factors that will impact the cost to implement and maintain a GDPR program will greatly increase an organization’s chance for business success in a technology world governed by GDPR.