GDPR: Budget, Gap & the analogy of polluted water.

In Data Privacy, Data Protection, GDPR by Christoph BalduckLeave a Comment


If you haven’t heard of GDPR by now you’ve either been on a deserted island, went on a digital detox for the last 6 to 12 months, or… anyway you’re one of the few (happy) people not worrying about it’s impact… yet.

By: Christoph Balduck

If you have heard of GDPR or are busy implementing it, you might be wondering what your implementation budget should be, how big the gap can be and how to convey the message in a simple way to all of your colleagues & management.


In terms of total GDPR implementation budget – we’ve seen ranges from 0,01 to 1% of global turnover – depending on the size of the company, it’s margin and risk level in terms of personal data exposure.

This range provides an indication but companies with high legacy and medium to high risk have to assume a total budget of about 0,5% to 1% of global turnover.

This refers to the total budget to implement (not the yearly budget).

As GDPR doesn’t end on the 25th of May 2018, the design of your solutions, architectures, policies, procedures, processes and organisations is crucial to prevent high GDPR maintenance costs.

It’s therefore important to extend the GDPR business case with other benefits. If done well, the investment in GDPR will serve business goals like operational excellence, better analytics & insight, innovation, better customer view, more accurate next best action & next best offer with higher conversion rates,….


With GDPR there’s no such thing as “one gap” – as GDPR covers several aspects: legal, processes & organisation, policies & procedures, documentation/register, information and data management, IT/tech, security,… .

Many companies find the gaps to be substantial as GDPR forces them into managing their (wide scope of) personal data, keeping track of it and making sure no unnecessary personal data is collected, stored or processed.

For years data management was considered a burden and a cost for many companies, with little to no direct visible impact on revenue or cost savings.

Successful data-companies however, used data & information management to either grow fast, optimize customer experience, improve operational excellence, disrupt or make better use of analytics.

Most of these successful companies know their data, have it under control and make sure every employee can get the most out of the data (including personal data). A data and information mgt. gap analysis will therefore often result in a significantly smaller gap than their competitors & peers who haven’t invested in data & information mgt. .

The higher your data & information management maturity – the lower your effort to becoming GDPR compliant.

Nevertheless, it’s not because a company has a higher maturity in terms of data & information management – that it’s automatically dealing with data privacy and data protection in a (more) compliant manner.

The analogy of the boat & polluted water.

In order to explain the data and information gap, affecting the size of your implementation effort, we’ll use the analogy of a boat & water.

Imagine a company represented by a boat which sails to different destinations to run it’s business.

This boat sails on a river which is very much polluted and has been for years now (with every year facing an increasing level of pollution).

The water of the river represents the data – the pollution represents bad quality data & data not being managed or not under control – but nevertheless crucial to keep the boat (business) running.

The boat managers don’t really care about the polluted water – as long as they are able to get to their destinations and reach more and more destinations using bigger and more powerful engines – there’s no reason for doing anything about the water.

What the captain and it’s management don’t necessarily see is that below deck a lot of local hero’s are continuously removing the dirt in front of the boat to keep it moving (local hero’s continuously working to get some of the data fixed to be able to move on – knowing the same problems will occur again soon).

From time to time dirt gets into the engine and a problem is reported all he way to the captain and the management, but as this is usually fixed soon (bypassed) it’s back to business as usual and the core problem is not dealt with.

Some people on the boat and a number of visitors (data & information mgt. professionals) see the risk and understand the problem (and opportunity).

They try to convince the management that cleaning up the water would save them time & money – but it’s difficult to convince management that the effort of cleaning up the dirt in the river is ultimately good for the boat and it’s operations as well.

A new legislation…

Recently however, the government created a new legislation – forcing the boat companies to cleanse the water – as the government realized people were actually swimming in this polluted water and they were getting sick of it. (cfr. data subjects suffering from lack of data privacy and data protection).

The government has been telling this to boat companies for over 20 years, but with the new legislation it will be able to impose severe fines so most boat companies will be forced to do something about it.

Fixing a problem that has expanded over time (more water and river branches (big data), more rivers and more pollution) is not an easy task and the gap to overcome for (boat) companies that have never done anything in terms of this pollution (data) is huge.

Fortunately a number of companies have already started reducing some of the pollution over the last few years and luckily some smart people are coming up with solutions to accelerate the clean-up.

Companies have until the 25th of May 2018 to get the water cleansed & can expect fines from then on.

Some have started & some are only focussing on the big debris, but forgetting the fact that even if the water looks clean it can still be unsafe (poisoned).

The analogy with the boat and polluted water allows for an easy explanation and understanding of the immense gaps and efforts companies are facing today.

It also indicates that the 25th of May is not an end point – as the government isn’t looking for a one time clean-up but for a continuous clean river with good quality water – allowing data subjects to swim safely.

You’re not alone.

Leave a Comment