What GDPR costs from year two onwards.

A typical GDPR programme distributes spend roughly 60-65% in year 1, 18-22% in year 2, and 15-20% in year 3. The drop from year 1 to year 2 is large because gap assessment, remediation, documentation, and tooling deployment are largely one-off. The level set in year 2 is the realistic ongoing baseline.

• ICO fee renewal: £40 / £60 / £2,900 by tier, paid annually.
• CMP subscription: £0 - £100k+ ACV depending on tier; rarely flat year over year.
• DPO retainer or salary: internal DPO loaded cost (£60-£150k+) or fractional / DPaaS recurring fee (£500-£25k+ / year).
• Training refresh: annual baseline plus role-specific top-ups; onboarding-trigger training scales with hiring.
• DPIA reviews: triggered by new processing, vendor changes, regulatory developments. Average mid-market organisation runs 3-8 DPIAs / year.
• Transfer mechanism upkeep: re-papering when a sub-processor moves region, when SCCs are updated, or when an adequacy decision shifts.
• Surveillance audit: 70-80% of initial certification cost recurring (ISO 27701, Europrivacy).
• Sub-processor inventory maintenance: change tracking, public list updates, customer notification on material changes.

Four patterns dominate the unexpected line items in years 2-3:

• CMP price escalation. Cookiebot doubled base pricing in mid-2025. OneTrust’s 2026 ACV floor of approximately £10,000 pushed many mid-market customers off platform. Year 2 CMP budgets that simply roll forward year 1 figures regularly miss this line by 50-100%.
• Regulatory change forcing re-papering. The Data (Use and Access) Act 2025 changes (RLI list, soft opt-out, stop-the-clock DSAR, transfer test) require policy and process updates. EDPB guidance updates (ongoing) require similar.
• M&A integration. An acquired entity arrives with its own (or no) ROPA, its own (or no) DPIA library, its own sub-processor footprint. Integration commonly costs as much as the original implementation in the integration year.
• Scope expansion through new product launches. New processing activities trigger new lawful basis decisions, new DPIAs, new ROPA entries, often new transfer mechanisms. Product launch privacy review costs are routinely missed.

Three disciplines reliably reduce ongoing cost: automation of evidence collection (Sprinto and Hyperproof claim 40-60% reduction in evidence-collection time, sourced from their own marketing; we cite with the limit stated), DPaaS consolidation when fragmented point tools have accumulated, and internal-vs-external rebalancing as the organisation matures (early-stage external lift, mid-stage internal consolidation, late-stage selective external depth).

TCO ranges assume reasonable programme discipline, no notifiable breach in years 2-3, and no material M&A activity. Either event materially shifts the numbers.