The General Data Protection Regulation (GDPR) has been one of the large ticket items for IT departments in the last year. According to PWC, 68% of large US multinationals will have spent between $1 million and $10 million on GDPR readiness and compliance in the lead up to the May 25, 2018 deadline. Forrester Research reported that 48% of mid-size to large companies in the US, UK, Germany, and France would spend at least $1 million with 15% earmarking over $5 million for GDPR compliance.
This may only be a small portion of the overall IT spend Gartner is predicting for the enterprise software market in 2018, but it is still a significant expenditure for most companies; and as such it is dangerous to assume GDPR will be a one-off line item in IT budgets, which will stop being a concern after May 25th. Also, this deadline comes at a time when businesses are already under significant pressure to transform their businesses into more agile, flexible organizations able to fend off emerging market and digitally savvy competitors. This adds to the challenges facing IT organizations who know there are a number of “what if” scenarios they may have to deal with; the biggest being, “what if your initial GDPR investment is not sufficient to get your organization ready?” And if that “if” comes true, how do you ensure GDPR does not become a costly millstone preventing your business from becoming more agile and ready for the digital business era?
Many organizations have taken a long-term approach to GDPR, integrating it into broader digital transformation initiatives designed to modernize existing infrastructures while building in the flexibility to meet the terms of these data protection laws. Such organizations are one step ahead, but they still need to remain vigilant for “mission creep,” because GDPR will evolve and will require IT systems to respond. This will demand agility that historically is difficult to achieve within the confines of legacy infrastructure without adding significant costs to implementations. Companies will need to be careful to avoid the spiralling costs, but this can be done by building a core IT architecture that is designed with agility and collaboration in mind. It will allow the disparate data management applications to share information, so that it is simple to fulfil critical aspects of GDPR regulation. Likewise for those companies who have not yet rolled out their plans or are still wondering how they can fund it, it is important to see GDPR not just as an “add-on,” but as an opportunity to create an underlying architecture, whose core purpose enables collaboration between applications, as this will provide the flexibility to deliver compliance today and into the future.
Interestingly, Forrester Research hinted at one of the very real dangers of GDPR—the potential for spiralling costs. In a recent Forrester survey, 58% said they would need an annual maintenance budget of more than $1 million to ensure compliance is sustained and 67% suggested that figure may rise in the future. This is pragmatic on one level, because no one yet knows how the regulation of GDPR will unfold, and it could quite likely demand further investment to address unanticipated consequences. However, it also reveals the realism of battle-hardened IT departments, who are well used to the spiralling costs of “keeping the lights on.” Perhaps, there is a sense that GDPR will simply add to the burden of spending 89% of existing budgets on operational IT. Clearly, this is a far-from-desirable consequence of GDPR at a time when companies would prefer to be investing to ensure they have agile IT infrastructure ready to compete in today’s digital world.
This theory gains more traction when you see the number of companies that doubt they will be ready by May 25th. Gartner claimed back in 2016 that by the end of 2018 more than 50% of companies affected by GDPR will not be fully compliant by the deadline. In January 2018, Forrester issued a less dire warning that according to ZDNet 11% of companies were still considering what to do about GDPR, and a further 8% were not familiar with the topic at all. Even if you often take statistics with a pinch of salt, there are worrying signs that GDPR compliance is not going to be a one-off line item on the IT budget. Rather it may become something that adds to already bloated operational IT expenditure. Indeed, the same ZDNet article suggested that 22% of organizations expect to be compliant in the next 12 months, confirming projects will likely drift beyond the May 25th deadline.
There is some logic in GDPR investment continuing beyond the initial deadline, because the interpretation of the regulation will become clearer in time. But, knowing that the days of unrestrained IT budgets are long gone, IT departments should be concerned about GDPR adding ongoing costs to their budgets. As such, the CIO needs to answer two key questions:
- Will the IT team be expected to add GDPR to its operational budget, thus increasing the “lights on” expenditure?
- If it is adding GDPR to its expenditure, how will that affect investment elsewhere?
In answer to both questions there is a case for an open source-based strategy, because it provides CIOs with greater flexibility and dramatically lower costs without sacrificing performance for a large number of existing and new applications. For example, migrating existing legacy commercial databases to open source alternatives can have a significant impact on the cost of maintaining complex licensing agreements and the recurring fees for annual maintenance support. (My colleague Marc Linster has talked in the past about how the Financial Services industry has turned to open source to reduce costs and increase agility.) If you choose an unsupported open source alternative, such as PostgreSQL, you will face no direct licensing charges, but you will have to consider the staffing implications and operational challenges of managing such systems without dedicated support. This is something that Dave Page, Chief Architect at EDB and Core Member of the Global Development Group for Postgres, has explained in detail). If you choose an open source-based solution backend by a vendor then there will be subscription charges, but no additional maintenance costs or threat of vendor lock-in. Furthermore, the responsiveness of open source communities can speed up security fixes that may be needed to respond to GDPR without having to wait for the slower moving patch cycles of the main commercial vendors.
However, open source offers even more strategic benefits for organizations who do not want GDPR to be a millstone. Many open source solutions, like PostgreSQL, are designed for flexibility and interoperability with other systems, which make them more responsive to the fast moving demands of the digital era. It enables businesses to adapt quickly to new opportunities, because the open APIs allow IT departments to rapidly integrate new functionality developed by the community or vendors, who work with the open source community. It also frees up valuable resources to allow organizations to make these investments happen.
The message is clear. You might not be able to avoid the expense of GDPR, but don’t let GDPR become a millstone that slows down your ability to become more agile and integrate new technologies. Lean on open source to give you the flexibility and cost savings to re-invest in innovative applications that help your business compete more effectively in the digital business era. Then, you can concentrate on what’s important to your business—driving growth, improving productivity, and strengthening customer loyalty.
Ken Rugg is Chief Product and Strategy Officer at EnterpriseDB.