New report: Brands set budgets and expectations for GDPR compliance

A new study from Forrester supports the idea that brands doing business in Europe are making a concerted effort to comply with the upcoming General Data Protection Regulation (GDPR) and the related ePrivacy Regulation.

The report — “Embrace the GDPR to Gain a Competitive Edge” [registration required] — was commissioned by Evidon, whose technical solutions for governance, risk and compliance include a GDPR offering. Evidon told me it had final edit of the report and helped determine the survey questions, but it didn’t have any ongoing editorial control.

Almost half (48 percent) of the responding firms said they are setting up an initial establishing budget of more than a million dollars for GDPR/ePrivacy compliance. Fifty-eight percent will have a maintenance budget of about the same amount, and 67 percent expect these budgets will rise after May.

The new budgets will help the firms comply, the report said, and that compliance might also provide competitive boosts.

Evidon Chief Privacy Officer Todd Ruback told me via email that GDPR “is viewed widely as an opportunity [to undertake] a higher standard of data governance.”

According to the report: “Firms expect to see increased loyalty, satisfaction, and engagement from customers as well as brand differentiation and uplift for themselves.” About a third of the respondents expect to improve brand perception, and about a quarter expect greater brand differentiation.

Additionally, the study says, GDPR and ePrivacy “will fundamentally change the way organizations must think about privacy going forward.”

Almost half (48 percent) of the respondents expect they will now design privacy as a fundamental part of their organizations, and about a third expect privacy to become a key part of their corporate culture.

Organizations also need to consider their legal exposure from partners and vendors who do not comply with GDPR/ePrivacy in data handling. But the report indicates firms are already considering how they will adapt to this potential new liability.

About two-thirds of respondents will continuously audit their vendors to make sure they’re complying, will write GDPR requirements directly into third-party contracts and will decline to work with vendors that can’t guarantee compliance.

An additional concern is how to balance compliance with a positive customer experience, since the required consents and communications with customers could become onerous if not properly designed and managed. The report doesn’t indicate how to accomplish that goal, which will differ for each brand.

The respondents were 263 data and compliance decision-makers at organizations that have operations or otherwise do business in Europe. About 40 percent of the organizations are based in the US, with about an additional fifth each in the UK, Germany and France.