How we source and present GDPR cost figures.

• Public vendor pricing pages (CMP, DPIA, ROPA, SAR, breach tooling), captured with date.
• Published consultancy rate cards and packaged DPaaS pricing (anonymised in-text where attribution is sensitive, named where the vendor publishes openly).
• IAPP global salary survey and IAPP Privacy Tech Vendor Report.
• IT Jobs Watch UK DPO and privacy permanent role panel.
• Glassdoor UK DPO London panel (cross-reference only).
• ICO statutory fee schedule (Data Protection (Charges and Information) Regulations 2018, as amended).
• CMS GDPR Enforcement Tracker and GDPRhub case database for fine and decision aggregates.
• EDPB guidelines and statistics.
• IBM Cost of a Data Breach annual report (UK and EU breakouts).
• Anonymised market-rate panels (consultancy day rates, audit firm fees, IR retainer pricing).
• UK GDPR statutory text, EU GDPR (Regulation (EU) 2016/679), DPDI Act 2024, Data (Use and Access) Act 2025, PECR.

• Proprietary client data from advisory engagements.
• Single-quote anecdotes without aggregation.
• Vendor-promotional figures that cannot be independently verified.
• Undated cost ranges (a 2018 figure is not a 2026 figure).
• “Industry insider” claims without traceability to a named source.
• Listicle, how-to, and vendor-comparison content. The site deliberately does not publish “top 10” pages or “OneTrust vs Cookiebot” grids.

Cost ranges on this site are point-in-time. CMP vendor pricing in particular shifts on rolling annual cycles; the Cookiebot mid-2025 repricing and OneTrust’s 2026 ACV floor are recent examples. Always verify pricing on the vendor’s own page before procurement. Currency: GBP primary, EUR conversion at the last-review date rate.

Last reviewed: April 2026. Next scheduled review: October 2026, or earlier if the Data (Use and Access) Act 2025 implementation guidance materially shifts the budget delta.

Independent reference, not legal advice. Not affiliated with the European Commission, the European Data Protection Board, or the UK Information Commissioner’s Office. References to UK GDPR, EU GDPR, the Data (Use and Access) Act 2025, DPDI Act 2024, PECR, or any specific regulator are descriptive only.

Content is reviewed for “is this legal advice in disguise?” risk before publication. Imperative legal language (“you must do X”) is replaced with descriptive framing (“the regulation requires a controller of relevant size to maintain a Record of Processing Activities”). Where a question is genuinely a legal call for the reader’s situation, the page directs the reader to consult a qualified data protection lawyer.

Digital Signet does not sell DPaaS, does not run consultancy retainers branded under this site, and does not gate any calculator or content behind email capture. Where Impact affiliate referrals exist for tooling vendors, they are disclosed on the relevant page. Affiliate revenue does not move cost-range publication; vendors that pay us no commission are listed equally alongside vendors that do.