What GDPR tooling actually costs across the stack.

Vendor pricing collected from public pricing pages, April 2026. Cookiebot doubled base pricing in mid-2025; OneTrust set a 2026 ACV floor of approximately £10,000 that pushed mid-market customers off platform. Vendor pricing changes regularly; verify before procurement.

DPIA tooling falls into three groups: spreadsheet templates (free, adequate for low-volume processing inventories), standalone DPIA modules (Konfirmity, Microsoft Priva, OSANO, ranging £200 - £1,500 per month), and platform-bundled (OneTrust, BigID, Securiti, where the DPIA module is part of an enterprise ACV). For most mid-market organisations, a standalone module beats both a spreadsheet (audit trail) and a full platform (cost) in years 1-3.

Records of processing under Article 30 are within reach of a maintained spreadsheet for under-50-staff organisations with stable processing inventories. Once processor count exceeds 30, or once jurisdiction count exceeds three, a structured ROPA tool starts to earn its keep. Public pricing for standalone ROPA / privacy-mapping tools clusters £150 - £1,200 per month, scaling with processor count and user seats.

The hidden cost of data subject access requests is volume scaling with marketing reach. A B2C product that grows from 50,000 to 500,000 users typically experiences a 5-15x increase in SAR volume over the same period, and the manual cost per SAR (commonly £200 - £900 fully loaded) is the dominant cost line. SAR automation tooling (OneTrust DSAR, Securiti DSR, Transcend, OSANO Data Subject Rights) starts paying back at roughly 30 SARs per month. Below that volume, a structured spreadsheet plus a documented playbook is more economical.

Pre-paid breach tooling (notification platforms, evidence preservation tools) rarely earns back its cost in years 1-3 for organisations that have not had a notifiable breach. Forensic retainer arrangements with an IR firm (Mandiant, NCC Group, Kroll, Bridewell) are the alternative, typically structured as a small annual retainer (£3,000 - £15,000) plus on-incident day rates (£1,200 - £2,500 / day). The retainer’s main value is guaranteed response SLA inside the 72-hour notification window.

Three patterns dominate: CMP renewal escalation (Cookiebot doubling and OneTrust’s 2026 ACV floor caught most mid-market customers unprepared), data-mapping discovery scope creep (the processor inventory grows once the platform is configured to look for unknowns), and SAR volume scaling with marketing reach (the fastest-growing operational cost line in B2C). Year 2 budgets that assume year 1 tooling spend rolls forward miss all three.