gdprcompliancecost.com
Independent reference.Not legal advice. Consult a qualified data protection lawyer for advice on your specific situation.Methodology and sources.
Calculator

GDPR programme cost calculator.

Six inputs. Three outputs (year 1, year 2 ongoing, three-year TCO). Each output prints the assumption set inline. Useful for sanity- checking a consultant’s quote, building a board paper, or benchmarking an in-house programme. The model is calibrated to per-line-item ranges across this reference site.

Inputs and outputs
Headcount
Regime
Prior privacy programme
ISO 27001 in place
Regulated sector
Customer-facing
Year 1
£22,000
to
£90,000
Year 2 ongoing
£7,700
to
£45,000
Three-year TCO
£37,400
to
£180,000
Assumption set
  • Year 1 base for 51-200 staff is £22,000 to £90,000, drawn from per-line-item ranges across this reference site.
  • Regime multiplier: 1.00 (dual-regime adds roughly 25% for parallel CMP, transfer mechanism upkeep, and twin DSAR pipelines).
  • Prior maturity multiplier: 1.00 (mature prior programme reduces gap assessment, documentation, and remediation work).
  • ISO 27001 multiplier: 1.00 (an existing ISMS reduces the technical-and-organisational layer roughly 30-40%).
  • Sector multiplier: 1.00 (FCA, healthcare, and public sector readers face additional sectoral guidance and audit weight).
  • Audience multiplier: 1.00 (B2C inflates DSAR volume, CMP scope, and breach-notification fan-out).
  • Year 2 ongoing modelled at 35-50% of year 1 with reasonable programme discipline.

Indicative output only. Real quotes will reflect scope specifics (processor count, jurisdiction count, customer DPA volume, multi-entity scoping) the calculator does not capture. Cost ranges are for budget sanity-checking, not for procurement contracting.

Limits

What the calculator does not capture

A six-input calculator cannot reproduce a real engagement quote. What it deliberately does not include: processor inventory length (handled by a sector-and-audience proxy), customer DPA volume (proxied by audience), one-off litigation, M&A diligence, notifiable-breach response, sectoral regulator engagement beyond the broad sector multiplier. For procurement, treat the output as a sanity-check range, not a fixed quote.

How the model is calibrated

Methodology and sources

Per-input weights are derived from the line-item ranges across this reference site: implementation, DPO cost, tooling, training, audit, ongoing. Sources, dates, and the editorial position sit on the methodology page.

Contact

Discuss your specific scenario

Digital Signet does not sell DPaaS, does not run consultancy retainers branded under this site, does not act as a Data Protection Officer, and does not gate calculator output behind email capture. If your scenario does not fit the bands cleanly (a cross-jurisdictional programme, a complex processor stack, a regulated-industry overlay), email oliver@digitalsignet.com. This is not legal advice; for advice on your specific situation, consult a qualified data protection lawyer.

Updated 1 May 2026