Fortune and FTSE Firms to Spend Millions Gearing up for GDPR Compliance, New Survey Shows

October 25, 2017

  • Fortune firms allocate $1 million alone on technology for GDPR

  • Four in five (82%) FTSE firms have set aside budget for third party legal support

  • International law firm Paul Hastings surveyed GCs and CSOs in the UK and US to reveal true cost of GDPR compliance ahead of May 2018 deadline

London/Washington D.C. – FTSE and Fortune firms will spend on average £430,000 and $1 million respectively on technology alone to ensure compliance with the upcoming General Data Protection Regulation (GDPR), new research by leading global law firm Paul Hastings has shown today.

The survey of 100 FTSE 350 General Counsel (GCs) and Chief Security Officers (CSOs) and 100 Fortune 500 GCs and CSOs reveals that the biggest allocation of budget set aside so far to comply with GDPR is for technology. The mean technology budget set aside for FTSE firms is £430,000 and for their Fortune counterparts it is $1 million.

Despite these large sums of money being allocated, only 10% of firms in the UK and 9% in the US have currently purchased new technology, meaning many firms have yet to start this potentially lengthy process.

Behnam Dayanim, partner and global co-chair of the Privacy and Cybersecurity practice at Paul Hastings, said: “Our research shows that, while large businesses are taking GDPR compliance seriously, there remain worrying signs that they may be falling short in planning for implementation next May. £430,000 or $1 million may seem a large sum, but, for many larger and more complex companies, it reflects a small portion of the technology and other costs that ultimately may be required.

“The GDPR is high-stakes. The consequences of violation can be immense, both in terms of fines and in potentially crippling disruption of a business’s ability to exploit what in many instances is its most valuable asset.  And the clock is ticking.  GDPR compliance can entail substantial revision to existing procedures and systems.  Companies that haven’t yet begun already may find themselves in difficult straits come May; certainly, those that have been dragging their feet would be well-advised to strap on the running shoes and try to catch up.”

The EU’s General Data Protection Regulation (GDPR) is coming into force in May 2018 and will affect any business which controls or processes the data of EU citizens, regardless of where the business is located. As part of the wide-reaching regulation, businesses can be fined up to 4% of global turnover should they fail to comply with GDPR.

Surprisingly, 17% and 22% in the UK and US, respectively, said there was no budget for third party legal support, something which will be important for businesses before and after GDPR is introduced.

Firms are also setting aside budget for additional permanent staff to meet regulatory demands. Of the FTSE firms surveyed, 40% have set aside a budget of between £201,000 - £400,000 for additional permanent staff, and in the US 34% have allocated between $501,000 and $1 million.

About the survey

100 General Counsel/Chief Security Officers were surveyed from FTSE 350 firms in the UK and 100 General Counsel/Chief Security Officers were surveyed from Fortune 500 firms in the US in July 2017.

Please click here for an infographic which visualizes this data.

At Paul Hastings, our purpose is clear — to help our clients and people navigate new paths to growth. With a strong presence throughout Asia, Europe, Latin America, and the U.S., Paul Hastings is recognized as one of the world’s most innovative global law firms

Practice Areas


Data Privacy and Cybersecurity



Corporate, Litigation, Real Estate, Intellectual Property, Life Sciences, and Employment

Becca Hatton


Katy Foster


Miranda Ward

Submission Requests

Firmwide Inquiries

Elliott Frieder

Get In Touch With Us

Contact Us