gdprcompliancecost.com
Independent reference.Not legal advice. Consult a qualified data protection lawyer for advice on your specific situation.Methodology and sources.
Calculator

GDPR programme cost calculator.

Six inputs. Three outputs (year 1, year 2 ongoing, three-year TCO). Each output prints the assumption set inline. Useful for sanity- checking a consultant’s quote, building a board paper, or benchmarking an in-house programme. The model is calibrated to per-line-item ranges across this reference site.

Inputs and outputs
Headcount
Regime
Prior privacy programme
ISO 27001 in place
Regulated sector
Customer-facing
Year 1
£22,000
to
£90,000
Year 2 ongoing
£7,700
to
£45,000
Three-year TCO
£37,400
to
£180,000
Assumption set
  • Year 1 base for 51-200 staff is £22,000 to £90,000, drawn from per-line-item ranges across this reference site.
  • Regime multiplier: 1.00 (dual-regime adds roughly 25% for parallel CMP, transfer mechanism upkeep, and twin DSAR pipelines).
  • Prior maturity multiplier: 1.00 (mature prior programme reduces gap assessment, documentation, and remediation work).
  • ISO 27001 multiplier: 1.00 (an existing ISMS reduces the technical-and-organisational layer roughly 30-40%).
  • Sector multiplier: 1.00 (FCA, healthcare, and public sector readers face additional sectoral guidance and audit weight).
  • Audience multiplier: 1.00 (B2C inflates DSAR volume, CMP scope, and breach-notification fan-out).
  • Year 2 ongoing modelled at 35-50% of year 1 with reasonable programme discipline.

Indicative output only. Real quotes will reflect scope specifics (processor count, jurisdiction count, customer DPA volume, multi-entity scoping) the calculator does not capture. Cost ranges are for budget sanity-checking, not for procurement contracting.

Limits

What the calculator does not capture

A six-input calculator cannot reproduce a real engagement quote. What it deliberately does not include: processor inventory length (handled by a sector-and-audience proxy), customer DPA volume (proxied by audience), one-off litigation, M&A diligence, notifiable-breach response, sectoral regulator engagement beyond the broad sector multiplier. For procurement, treat the output as a sanity-check range, not a fixed quote.

How the model is calibrated

Methodology and sources

Per-input weights are derived from the line-item ranges across this reference site: implementation, DPO cost, tooling, training, audit, ongoing. Sources, dates, and the editorial position sit on the methodology page.

Advisory inquiry

Need a defensible quote?

Digital Signet does not sell DPaaS, does not run consultancy retainers, and does not gate calculator output behind email capture. For a defensible procurement-stage quote, reach out via the advisory inquiry channel listed on the methodology page and we will route you to a practitioner.