GDPR compliance to cost FTSE100 firms £15 million, banks face largest bill
As the May 2018 implementation deadline for General Data Protection Regulation (GDPR) looms, many firms are still scrambling to prepare for the landmark legislation. Their obedience will likely come at a price, however, with new research showing an average £15 million price tag for a FTSE100 firm, while companies should be expecting to spend around £300-450 per head on their compliance efforts.
According to new analysis from Sia Partners, there are two major observations to be gleaned from examining the way the UK’s top businesses are planning to cope with the GDPR. While each firm within the FTSE100 index will likely face different levels of investment, as size, IT system complexity, number of products, service lines and a whole host of determinants will vary from one firm to another, some themes remain constant across the board.
First, and most obviously, implementation costs will probably grow with a firms’ size, as increased amounts of data for larger operations up the levels of complexity involved in compliance. The spread of potential budget tends to multiply markedly against firm size.
However, the second point which authors David Coolegem, a Senior Manager, and Adrien Dauchot, a Senior Consultant at Sia, make about their data is that this spend tends to level out at a per-employee level. The minimum and average implementation cost per employee is consistent across firm size, with implementation costing £300-£450 on average per employee across all sectors. However, the maximum seen from an individual firm decreases markedly, as firms size increases beyond 10,000.
The authors explained that the reason for this is that the maximum figures tend to be outliers within a tightly clustered group, and named the biggest outliers as large insurance groups and oil & gas firms. Accordingly, this further reinforces that the £300-£450 implementation cost per employee is a good gauge to use for firms in the first instance, as they seek to evaluate what the right amount to spend on GDPR compliance would be.
Within the FTSE100, banks are the group with the highest expected spend for the GDPR. According to recent research by Baringa Partners, almost a third of people (29%) say that they would immediately switch to another bank if their provider suffered a major breach where their personally identifiable data was leaked. Banks tend to serve a wide range of customers (from retail to supranational), and offer a very wide range of products and services, tending to have complex webs of legacy IT systems. Meanwhile, banks also exist in a market that is becoming increasingly competitive, meaning customers do have the capacity to change providers relatively simply. As a result, the average implementation cost per employee is consistently higher throughout the banking industry.
Major spending
The average spend per sector excluding banks remains clustered around two distinct levels. Energy, commodities & utilities, retail goods and technology & telecommunications sectors will see approximate spends between £15-19 million, while the remaining camp, consisting of all other market sectors clustered, will most likely settle at around the £5-11 million level, according to Sia Partners’ estimates.
One major outlying group comes in the form of large insurance companies. These face a disproportionally high average per employee implementation cost. This, coupled with the plentiful and sensitive information stored at the heart of the insurance industry’s work, mean they also have the highest maximum spend within the second camp. Based on these factors, Sia concludes that there will be three key outliers amid the general GDPR spending of £300-450 per head. These will be banks, the energy, commodities & utilities firms driven by the big oil firms, and non-banking financial services firms.
Irrespective of the industry, however, Sia Partners’ analysis still shows that significant budgets will be needed by firms to remain in-line with the GDPR’s specifications. On average, this sum will add up to a weighty £15 million investment. However, these changes would pay for themselves many times over if they help companies dodge the severe punishments of the new data safeguarding measures. An average fine wielded for breaching the GDPR will likely be 4% of annual turnover – something which Oliver Wyman suggests could cost the FTSE100 a collective £5 billion in fines each year.
For the FTSE100, the 4% of annual turnover fine would equate to a range of £800,000 for the smallest member and £7.1 billion for the largest. Generalising these numbers, on average a fine of 4% of revenues represents 30-80 times the cost of implementing the GDPR adequately in the first place. Within this range, energy, commodities & utilities and industrial goods & services stand out for their very high multiples of approximately 80. This not only reflects the contextually low cost of GDPR implementation in the first place, but also highlights that such programmes would offer great returns on investment for these firms.