FAQ
GDPR cost frequently asked questions.
Twelve questions buyers ask before approving a GDPR budget, with substantive answers and a deep link to the page that treats each topic in full. No links inside answers other than the deep-link reference, no marketing routing, no email-capture step.
Buyer questions
How much does GDPR compliance cost a small business?
A 10-person UK business that registers with the ICO at Tier 1 (£40 standard, £35 by direct debit), uses a free or low-cost cookie consent tool, drafts policies in-house, runs basic awareness training (£7-£30 per head), and pays for occasional advisory calls can spend roughly £400 to £3,000 in year 1. The number rises sharply once headcount, customer DPA volume, or B2C scale enters the picture. Full SME treatment on the small business page.
How much does it cost to implement GDPR?
Implementation is the gap-assessment-to-go-live phase. Realistic ranges by company size: SME (10-50) £3,000 - £30,000; mid-market (50-500) £25,000 - £150,000; enterprise (500+) £120,000 - £500,000+. First-year typically accounts for 60-70% of three-year programme spend, with the remainder distributed across surveillance, retraining, and tooling renewal. The five line items (gap assessment, remediation, documentation, tooling, training) sit on the implementation cost page.
What is the cost of a Data Protection Officer?
Internal UK DPOs earn a median £50-65k base salary (IT Jobs Watch UK panel data, 2025-2026) with senior CIPP/E or CIPM holders ranging £80-150k. Loaded cost adds 25-30%. Fractional DPO retainers run £500-£2,500 / month. DPaaS subscriptions advertise £4k-£25k / year. Consultancy day rates run £900-£2,200. The crossover analysis sits on the DPO cost page.
Do I need a DPO?
Article 37 mandates a DPO for public authorities, for core activities consisting of large-scale regular and systematic monitoring of data subjects, and for core activities consisting of large-scale processing of special-category or criminal-conviction data. Many borderline organisations use a designated person rather than the formal DPO designation. The legal call belongs to a qualified data protection lawyer; the cost analysis sits on the DPO cost page.
How much is a GDPR audit?
Three audit shapes with different ranges. Internal audit £2,000 - £15,000 loaded effort. External advisory audit £5,000 - £70,000 depending on processor count, jurisdiction count, and prior maturity. Certification audit (ISO 27701, Europrivacy) £12,000 - £80,000+ initial, with surveillance audits at 70-80% of initial cost recurring annually. The audit cost page splits each shape.
How much is the ICO data protection fee?
The ICO publishes three tiers under the Data Protection (Charges and Information) Regulations: Tier 1 (micro) £40 standard / £35 by direct debit; Tier 2 (SME) £60 / £55; Tier 3 (large) £2,900 / £2,895. The fee is a statutory charge funding the regulator’s work. It is not a fine. Civil monetary penalties apply for non-payment by organisations subject to the duty. Schedule and exemptions on the UK vs EU GDPR page.
How much does GDPR training cost?
Per-head e-learning £7 - £30. Instructor-led £85 - £350 per delegate. Role-specific (engineering, marketing, HR, customer support) £45 - £200 per head. DPO-track CIPP/E and CIPM training £700 - £1,500 each plus exam fees and IAPP membership. Bulk discount thresholds at 50, 100, and 500 seats. Annual refresh is the common-practice baseline. The training cost page has the ladder.
What does a GDPR fine cost?
Article 83 sets a two-tier penalty cap: tier 1 up to €10m or 2% of global turnover; tier 2 up to €20m or 4%. Cumulative GDPR fines since May 2018 are approximately €7.1bn (CMS Enforcement Tracker, March 2026). 2025 calendar-year fines were approximately €1.2bn. Most fines settle below the cap. The total cost of a notifiable breach typically runs five to twenty times the eventual statutory fine once forensics, legal, notification, and remediation are included. The fines and breach cost page sets out both layers.
What is the difference between UK GDPR and EU GDPR cost?
UK GDPR and EU GDPR remain 90-95% identical. The Data Protection and Digital Information Act 2024 and the Data (Use and Access) Act 2025 introduced UK divergences on cookie consent (soft opt-out for low-risk analytics), recognised legitimate interests, DSAR “stop the clock”, and the international transfer test. Operating in both regimes adds a 20-30% uplift for parallel CMP, twin transfer mechanism upkeep, and parallel supervisory engagement. Detail on the UK vs EU GDPR page.
How long does GDPR compliance take?
Realistic first-pass timelines: SME without prior programme 4 - 6 months; SME with prior programme 3 - 4 months; mid-market (50-500) 9 - 18 months; mid-market with ISO 27001 6 - 12 months; federated enterprise (500+) 18 - 36+ months. Compressing a natural-pace programme costs 1.4-1.8x because of consultancy day-rate inflation and parallel-workstream coordination overhead. The timeline page sets out the calendar.
What ongoing costs does GDPR have?
Year 2 typically settles at 30-50% of year 1 spend with reasonable programme discipline. Recurring lines: ICO fee renewal, CMP subscription, DPO retainer or salary, training refresh, DPIA reviews, transfer mechanism upkeep, surveillance audit (if certified), sub-processor inventory maintenance. Year 2 budgets regularly fail on CMP escalation, regulatory change re-papering, M&A integration, and product launch privacy review. The ongoing cost page treats year 2 onwards.
Can I do GDPR compliance myself or do I need a consultant?
Under 30 staff with no prior programme: self-execution plus a paid end-of-programme review usually beats a full consultancy retainer. 30-150 staff: hybrid (consultant for gap assessment and DPIA framework, internal for remediation, consultant for paid review pre-go-live) is the sweet spot. 150-500 staff: full consultancy engagement typically beats internal-only on calendar even if total cost is similar. 500+: programme-shape decisions dominate. The implementation cost page has the crossover detail.