GDPR preparation has cost FTSE 350 businesses around $1.1 billion

23 May 2018 3 min. read

With the GDPR’s implementation a matter of days away, companies in the UK are still scrambling to comply with the European law. As some confusion remains around key concepts such as ‘consent’ for many top companies, this has seen FTSE 350 spending on the matter speed past the $1 billion mark, according to new research.

The General Data Protection Regulation is a new EU regulation which will govern how organisations manage and structure their customer and employee data after May 2018. Many of the stipulations are already covered in the UK’s Data Protection Act, but after May 2018, organisations will have to prove they have proper data-processing controls in place and that they comply with GDPR.

The GDPR is the most fundamental change in data protection legislation for the past 20 years and is the first attempt to create comprehensive and enforceable laws. The legislation will affect all domestic and international businesses operating in the EU – regardless of size – threatening those who fail to comply with hefty fines of up to €20 million or 4% of global revenues, depending on which one is larger.

Previous studies in anticipation of GDPR suggested the landmark legislation could cost FTSE 100 companies alone as much as £5 billion in fines. Naturally then, this has seen a veritable frenzy of activity among businesses to prepare for the new data law, something which has seen FTSE 350 businesses sink an estimated $1.1 billion into their compliance efforts. According to the International Association of Privacy Professionals and Big Four professional services firm EY, US corporates among the Fortune 500 saw an even higher bill of $7.8 billion.

GDPR preparation has cost FTSE 350 businesses around $1.1 billion

Perhaps unsurprisingly some of the top spenders include internet giants such as Facebook. With Mark Zuckerberg having recently appeared before the US senate following the alleged abuses of user data in the Cambridge Analytica scandal, Facebook has reportedly been scrambling to reposition itself in time for the end of May.

While this spending spree may largely have been entirely necessary due to the practices of companies which motivated the law’s creation, however, researchers also believe the new rules have been left vague, forcing corporates and startups alike to invest in pricey legal experts to interpret how to best prepare for GDPR. Counting a fifth of the FTSE 100 among its clients, magic circle law firm Slaughter and May is one of a number of major law firms hoping to cash in on this, listing the GDPR on its website among its top areas of expertise.


According to Luther Teng, a Senior Manager in Risk Advisory with EY, this is proving a successful strategy for lawyers, with some of the UK companies he’s working spending up to 40% of their total GDPR compliance budgets – which the IAPP estimates to be around $2.4 million per FTSE 350 firm – on legal advice alone.

Teng elaborated, “Even some FTSE 350 companies that have very established in-house legal teams are having significant costs because they don't have the subject expertise on data privacy, let alone GDPR.”

One of the factors fuelling this was cited by experts as the term ‘consent’. While GDPR explicitly states companies need a clear record of explicit ‘consent’ for any personal data to be collected – for everything from email addresses to a computer’s IP address – for example, there is a lingering confusion among businesses around what exactly constitutes ‘consent’, and whether consent given prior to the GDPR is still valid.

Recently, this continued confusions saw Sia Partners predict that FTSE 100 companies could expect to pay an average of £15 million each to be compliant. This broke down to suggest that companies should be expecting to spend around £300-450 per head on their compliance efforts.

Related: GDPR compliance to cost FTSE100 firms £15 million, banks face largest bill.