gdprcompliancecost.com
Independent reference.Not legal advice. Consult a qualified data protection lawyer for advice on your specific situation.Methodology and sources.
An independent cost reference

What GDPR compliance actually costs UK and EU businesses in 2026.

Per line item ranges for DPO appointment, programme implementation, tooling, training, audit, and ongoing maintenance. UK GDPR and EU GDPR presented side by side. No quote forms. No email gates. No vendor axe.

Small
10-50 staff
£3k - £18k
See assumption set

UK only, no prior privacy programme, B2B, no regulated-sector overlay.

Mid-market
50-500 staff
£25k - £95k
See assumption set

UK only, partial prior programme, mixed B2B / B2C, processor count under 30.

Enterprise
500+ staff
£120k - £450k+
See assumption set

Dual-regime, multi-entity scoping, customer DPA volume, transfer-mechanism upkeep.

Year 1 cost ranges. Sources, assumptions and dates are published on the methodology page. The UK GDPR vs EU GDPR page sets out the post-Data (Use and Access) Act 2025 budget delta.

Cost components

Six budget lines decide what GDPR costs you.

DPO appointment
£500 - £150,000+ year 1

Internal hire, fractional retainer, DPaaS subscription, or consultancy retainer.

See the page
Implementation programme
£3,000 - £200,000+

Gap assessment, remediation, documentation, DPIA / ROPA build, supplier remediation.

See the page
Tooling stack
£0 - £100,000+ ACV

Consent management, DPIA, ROPA, SAR, breach response. Twenty-times range across the ladder.

See the page
Training
£7 - £30 per head, plus DPO-track

Per-head e-learning, instructor-led, DPO-track CIPP/E and CIPM certification.

See the page
Audit and certification
£2,000 - £70,000+

Internal audit, external advisory audit, ISO 27701 / Europrivacy certification audit.

See the page
Ongoing maintenance
30-50% of year 1, recurring

ICO fee, CMP renewal, training refresh, surveillance audit, transfer mechanism upkeep.

See the page
Lightweight calculator

Sanity-check a year 1 GDPR budget.

Three inputs. Indicative range out, with the assumption set visible. Useful before approving a consultant’s quote, scoping an internal programme, or building a board paper. For a fuller scenario, see the full calculator.

Headcount
Regime
Prior privacy programme
Indicative year 1 range
£25,000 to £95,000
Indicative ballpark only. Excludes one-off litigation, M&A diligence, or transfer impact assessments triggered by sub-processor moves. For a fuller scenario with the assumption set printed, see the full calculator.
Five things teams underestimate

The line items that quietly destroy first-year budgets.

Evidence collection time

First-pass implementation programmes routinely budget 30-60 hours for evidence gathering across IT, HR, marketing, and finance. Real engagements typically run 90-200 hours once supplier records, processor lists, and historical consent state are reconstructed. Three-times overruns on this single line are common.

DPO threshold misjudgement

Article 37 mandates a DPO for public authorities, large-scale systematic monitoring, and large-scale processing of special-category data. Borderline cases (employee monitoring, customer profiling, health-adjacent products) are misjudged, and the cost shows up post-incident when the regulator notes the absence as an aggravating factor.

Breach cost beyond the fine

Statutory fines are visible. Forensics retainers, legal counsel, 72-hour notification work, customer communications, regulator engagement, and post-incident remediation typically run five to twenty times the fine value for a mid-sized notifiable breach. The full picture sits at /fines-and-breach-cost.

CMP renewal escalation

Cookiebot doubled base pricing in mid-2025. OneTrust’s 2026 ACV floor pushed mid-market customers off the platform. CMP price stability cannot be assumed; year 2 budgets that simply roll forward year 1’s line item miss the regular vendor-side repricing.

Multi-entity scoping

Group structures with two or three legal entities triple the controller / processor mapping work, the DPA papering effort, and the supervisory authority surface. Programmes scoped at the parent level routinely discover three to five additional entities once the data flow walk is done in earnest.

FAQ

Four questions buyers ask before approving a GDPR budget.

How much does GDPR compliance cost a small business?
A 10-person UK business that registers with the ICO (£40 standard, £35 by direct debit), uses a free or low-cost cookie consent tool, drafts policies in-house, runs basic awareness training (£7-£30 per head), and answers occasional advisory questions can spend roughly £400 to £3,000 in year 1. The number rises sharply once headcount, customer DPA volume, or B2C scale enters the picture. The full SME treatment sits on the small business page.
What does a Data Protection Officer cost?
Internal DPOs in the UK earn a median £50-65k base salary (IT Jobs Watch UK panel data, 2025-2026), with senior CIPP/E or CIPM holders ranging £80-150k. Fractional DPO retainers commonly run £500-£2,500 per month. DPaaS subscriptions advertise £4,000-£25,000 per year, and consultancy retainers are typically structured at £900-£2,200 per day. Crossover analysis is on the DPO cost page.
How much is the ICO data protection fee?
The ICO publishes three tiers under the Data Protection (Charges and Information) Regulations: Tier 1 (micro organisations) £40, Tier 2 (SME) £60, Tier 3 (large) £2,900. A £5 direct debit discount applies per tier. The fee is not a fine; it is a statutory charge funding the ICO’s regulatory work. The schedule and exemptions sit on the UK GDPR vs EU GDPR page.
What does a GDPR breach actually cost?
Many auditors and incident response firms model the total cost of a notifiable breach at five to twenty times the eventual statutory fine, once forensic retainers, legal counsel, customer communications, regulator engagement, and post-incident remediation are included. The IBM Cost of a Data Breach 2025 report places the UK average at roughly $4.07m. Treatment sits on the fines and breach cost page.
Read the full FAQ