GDPR: True Cost of Compliance Far Less Than Non-Compliance

With the May deadline for compliance edging ever closer, a vast majority of organizations (90%) believe that compliance with the upcoming General Data Protection Regulation (GDPR) would be difficult to achieve.

A survey from GlobalSCAPE and the Ponemon Institute has found that GDPR is considered by respondents to be the most challenging among other data compliance regulations, such as Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and the Federal Information Security Management Act (FISMA). However, the cost of non-compliance has significantly increased over the past few years, and the issue could grow more serious.

It is necessary to comply with regulations and policies, while financial services companies face more than $30.9 million annually in compliance costs. These costs widely vary based on the amount of sensitive or confidential information a particular industry handles and is required to secure. That said, the average cost of compliance increased 43% from 2011, and totals around $5.47 million annually.

However, companies are not spending enough on maintaining or meeting compliance, as it only accounts for an average of 14.3% of the IT department’s budget. That comes with even greater costs: The average cost of non-compliance increased 45% from 2011, and adds up to $14.82 million annually.

That means that non-compliance costs 2.71 times the cost of maintaining or meeting compliance requirements. Non-compliance costs come from the costs associated with business disruption, productivity losses, fines, penalties, and settlement costs, among others.

In terms of fixing this and meet compliance mandates, organizations can employ a number of methods that can factor into the total cost. These could include administration overhead, consultant services, training, and communication and technology, among others. Data security has the highest average compliance cost for organizations, averaging $2 million a year.

When looking at the top three technologies already in use to maintain compliance, of the companies surveyed, organizations annually spend around $1.34 million on compliance-related platforms, $1 million on incident response, and $750,000 on audit and assessments. This investment does ultimately pay off, according to the results, as companies conducting regular audits had a reduced overall compliance cost. More than two audits a year can significantly reduce this cost: companies might find themselves paying $14 million if they run more than two audits versus $27 million for one or two audits a year.

Organizations that implement centralized data governance also stand to save the most, as they could reduce their compliance costs by $3 million.

An organization’s security posture can also vastly increase or decrease the cost of compliance or non-compliance. Even established regulations such as HIPAA or PCI-DSS now include requirements specific to data security or data breach responses. Organizations that do not have an effective or strong security ecosystem in place face up to an average of $25 million in annual costs to meet compliance.

“The findings from both the 2011 and 2017 studies provide strong evidence that it pays to invest in compliance,” said Larry Ponemon, chairman and founder at Ponemon Institute. “With the passage of more data protection regulations that can result in costly penalties and fines, it makes good business sense to allocate resources to such activities as audits and assessments, enabling technologies, training and in-house expertise.”

“It’s not surprising that the overall cost of compliance has risen so drastically over the past six years,” said Peter Merkulov, CTO at Globalscape. “Data is a precious commodity for individual consumers and multinational organizations alike. And the threat posed by cyberattacks is only growing exponentially. Understanding where your data travels, resides, and how to best protect it is no longer an option for companies, especially as their businesses’ livelihood is also at stake. Organizations have a responsibility to their customers, partners and vendors to protect data, which also means being constantly vigilant with compliance mandates or regulations such as GDPR or PCI DSS. Whether that protection comes as a result of investment in technologies like data loss prevention, managed file transfer, data classification, or governance, risk, and compliance solutions, or better enforcement of current data protection policies, the risks and reward from a cost perspective is pretty clear.”

What’s Hot on Infosecurity Magazine?