Only 11% said costs would go down, while 23% expected it to stay the same and 7% were unsure, according to the SecureData EU General Data Protection Regulation UK Enterprise Inquiry.
Retail, distribution and transport sectors were the most concerned, with 72% saying it would cost them more, followed by financial services (56%), and manufacturing (44%).
Security and compliance officers need to begin assessing the risk presented to their organizations, said Etienne Greeff, managing director of SecureData.
The draft proposals require organizations to notify data protection authorities and affected data subjects within 24 hours. Nearly two-thirds of respondents said this would help improve business and security processes, and 58% said it would improve data protection.
But 40% expressed concern that it would advertise security weaknesses before an appropriate security review could be completed, 36% feared "false alarms" from pressures to notify of data breaches quickly, and 14% said it could reduce the possibility of catching data thieves.
This story was first published by Computer Weekly