The GDPR has been a large-ticket item for IT departments in the last year. According to PWC, 68% of large U.S. multinational corporations will have each spent between $1 million and $10 million on GDPR readiness and compliance leading up to the May 2018 deadline. Forrester Research reported that 48% of midsize to large companies in the U.S., U.K., Germany and France would spend at least $1 million, with 15% earmarking over $5 million, for GDPR compliance.
These numbers may only represent a small portion of the overall IT spending that Gartner is predicting for the enterprise-software market in 2018, but it’s still a considerable amount for most companies. And as such, it’s dangerous to assume the GDPR will be a one-off line item in IT budgets and will stop being a concern after May 25. Also, this deadline comes at a time when businesses are already under significant pressure to become more agile and flexible so they can fend off emerging-market and digitally savvy competitors. This situation adds to the challenges facing IT organizations, which may have to deal with a number of what-if scenarios—the biggest being “what if your initial GDPR investment is insufficient to achieve compliance?” And if that “if” comes true, how should that organization keep the GDPR from being a costly millstone preventing it from becoming more agile and ready for the digital-business era?
Many organizations have taken a long-term approach to the GDPR, integrating it into broader digital-transformation initiatives designed to modernize existing infrastructures while building in the flexibility to meet the terms of these data-protection laws. Such organizations are one step ahead, but they must still remain vigilant for “mission creep,” because the GDPR will evolve and will require IT systems to respond. This situation will demand agility that historically is difficult to achieve within the confines of legacy infrastructure, apart from incurring major implementation expenses. Companies must be careful to avoid the spiraling costs, but they can do so by building a core IT architecture designed with agility and collaboration in mind. It will allow disparate data-management applications to share information, enabling simple fulfillment of critical GDPR requirements. Likewise for those companies that have yet to roll out their plans or are still wondering how to fund them, it’s important to see the GDPR not just as an add-on, but as an opportunity to create an underlying architecture whose core purpose enables collaboration between applications. This approach will provide the flexibility to deliver compliance today and tomorrow.
Interestingly, Forrester Research hinted at a serious danger of the GDPR: the potential for spiraling costs. Of the respondents to a recent Forrester survey, 58% said they’d need an annual maintenance budget of more than $1 million to ensure compliance, and 67% suggested that figure may rise. This response is pragmatic on one level, because no one yet knows how the regulation will unfold; it could demand further investment to address unanticipated consequences. The numbers also reveal the realism of battle-hardened IT departments, who are well used to the spiraling costs of “keeping the lights on.” Perhaps they have a sense that the GDPR will simply add to the burden of spending 89% of existing budgets on operational IT. Clearly, this is a far-from-desirable consequence of the GDPR at a time when companies would prefer to be investing to ensure they have agile IT infrastructure ready to compete in today’s digital world.
This theory gains more traction when it takes into account the number of companies that doubt they’ll be ready by May 25. Gartner claimed in 2016 that by the end of 2018 more than 50% of companies affected by the GDPR would be less than fully compliant by the deadline. In January 2018, Forrester issued a less dire warning that, according to ZDNet, 11% of companies were still considering what to do about the GDPR, and a further 8% were entirely unfamiliar with the topic! Even if you often take statistics with a pinch of salt, worrying signs indicate GDPR compliance won’t be a one-off line item on the IT budget. Rather, it may become something that adds to already bloated operational IT expenditures. Indeed, the same ZDNet article suggested that 22% of organizations expect to be compliant in the next 12 months, confirming projects will likely drift beyond the May 25 deadline.
There’s some logic in GDPR investment continuing beyond the initial deadline, because the interpretation of the regulation will become clearer in time. But knowing that the days of unrestrained IT budgets are long gone, IT departments should be concerned about the GDPR adding ongoing costs to their budgets. As such, the CIO must answer two critical questions:
- Will the IT team be expected to add the GDPR to its operational budget, thus increasing the “lights on” expenditure?
- If it’s adding the GDPR to its expenditure, how will that change affect investments elsewhere?
In answer to both questions, there’s a case for an open-source-based strategy, because it gives CIOs greater flexibility and dramatically lowers costs without sacrificing performance for many applications. For example, moving legacy commercial databases to open-source alternatives can greatly reduce the cost of maintaining complex licensing agreements and the recurring fees for annual maintenance. (My colleague Marc Linster has talked about how the financial-services industry has turned to open source to cut costs and increase agility.) If you choose an unsupported open-source alternative, such as PostgreSQL, you’ll avoid direct licensing charges, but you’ll have to consider the staffing implications and operational challenges of managing such systems without dedicated support—something that Dave Page, chief architect at EDB and core member of the Global Development Group for Postgres, has explained in detail). If you choose an open-source vendor-backed solution, you’ll pay subscription charges but avoid additional maintenance costs and the threat of vendor lock-in. Furthermore, the responsiveness of open-source communities can accelerate security fixes that may be necessary for GDPR compliance without having to wait for the slower-moving patch cycles of the main commercial vendors.
Open source, however, provides even more strategic benefits for organizations that want to prevent the GDPR from becoming a millstone. Many open-source products, like PostgreSQL, are designed for flexibility and interoperability with other systems, making them more responsive to the fast-changing demands of the digital era. It enables businesses to adapt quickly to new opportunities, because the open APIs allow IT departments to rapidly integrate new functions developed by the community or vendors. It also frees up valuable resources, allowing organizations to make these investments.
The message is clear. You the expense of the GDPR might be unavoidable, but you needn’t let it become a millstone that reduces your ability to become more agile and integrate new technologies. Lean on open source to give you the flexibility and cost savings to reinvest in innovative applications that help your business compete more effectively in the digital-business era. Then you can concentrate on what’s important to your business: driving growth, improving productivity and strengthening customer loyalty.
About the Author
Ken Rugg is EnterpriseDB’s chief product and strategy officer and is charged with leading the company’s product and strategic vision. Before joining EDB, Ken was the founder and CEO of Tesora. The Tesora DBaaS Platform, based on OpenStack Trove, let enterprises provide self-service database provisioning and full life-cycle management to their developers across 16 different databases, including Postgres, MySQL, Oracle, MongoDB and Cassandra. Before founding Tesora, Ken served as Senior Vice President and General Manager for Enterprise Business Solutions (EBS) of Progress Software, which comprised several enterprise-infrastructure product lines. The EBS business unit included the Actional, Apama, Fuse, Savvion and Sonic products. Ken joined Progress Software when it acquired Object Design/eXcelon, where he served as VP of product development and chief technology officer.