Understanding the Costs and Complexity of Data-Privacy Compliance