The Cost of a GDPR Assessment

Like most organizations today, you've probably noticed an increase in privacy questionnaires in addition to the already existing security questionnaires from your customers. This is likely driven by the General Data Protection Regulation of 2016, otherwise known as the GDPR, and your organization is probably trying to figure out what the next best step is for you to take. In this video, we'll walk through some of our offerings related to GDPR as well as the pricing, scoping, and cost structure involved there.

Hi, I'm Chris Lippert, a senior manager at Schellman. I actually head up our privacy practice here at the firm and have been in the industry for over 10 years. So what that means is that I've seen privacy go from almost a nonexistent kind of thing in the industry to what it is today. Whether you're just starting out and you're interested in a readiness assessment or you're a little bit more comfortable with your program or ready to go for a type 1 attestation, our pricing for those assessments typically ranges from $30,000 to $80,000. We'll break down exactly what goes into that pricing, whether it's readiness or type 1, and kind of walk you through the next steps.

Pricing Factor #1: Readiness assessment or type I attestation

The first factor that will influence pricing here is going to be whether you're going for the readiness assessment or the type I attestation. There is a different approach between those two different types of engagements, which actually relates back to the standards that we have to adhere to as a firm. So with the type I attestation, there's a little bit more due diligence involved, there's an additional layer of testing and QA that is involved. And because of that, the readiness assessments will typically range on the lower side of that scale, whereas the type 1 may be to the middle of the high score on that scale.

Pricing Factor #2: The role that your organization plays

The second factor that goes into the pricing for our GDPR services is related to the scope that your organization plays for those services and the scope of GDPR. So when I say the role that your organization plays, there are two different roles that are defined under Article I of the GDPR. Those roles are the controller role and the processor role. Depending on your role, there could be a different set of requirements that come into play that we would need to look at. So when I say a different set of requirements, there are articles 2 through 5 of the GDPR that we typically cover for our readiness assessments and our type I assessments. Articles 2 and 3 are typically only required for controllers, whereas 4 and 5 have requirements for both. So when your organization operates in that controller role, what that does is it requires us to look at the full set of requirements, which then drives up the price.

Pricing Factor #3: The size and complexity of the scope

The third factor that goes into our GDPR services and the pricing therein is the actual size and complexity of the scope of services covered by GDPR. So when I say size and complexity, it depends on if we're looking at a service line for looking at multiple service lines, or perhaps we're looking at a controller role where it's a little bit baked in and there's certain data subsets that are inclusive in those services where you might be operating in both roles. So when we look at the scope of services, we need to determine exactly where those boundaries lie and what roles are defined therein. And from there we can actually give you a more accurate pricing related to the assessments. So you may be thinking that $30,000 to $80,000 is quite a large range. We have privacy team members standing by to help walk through scoping exercises to determine more accurate pricing for your business. For that accurate pricing, go to our website, fill out the contact us form and we'll have somebody from the privacy team reach out with next steps and an accurate pricing for your organization.

About the Author

Chris Lippert

Chris Lippert is a Privacy Technical Lead and Manager at Schellman based out of Atlanta, GA. With more than five years of experience in information assurance, Chris has a concentration in privacy-related engagements. He is an active member of the Information Systems Audit and Control Association (ISACA) and International Association of Privacy Professionals (IAPP) and advocates for privacy by design and the adequate protection of personal data in today's business world.

More Content by Chris Lippert
Previous Video
The Differences Between the Defined and Customized Approach in PCI DSS v4.0
The Differences Between the Defined and Customized Approach in PCI DSS v4.0

Next Video
Do You Need a Penetration Test?
Do You Need a Penetration Test?