momius - Fotolia

Manage Learn to apply best practices and optimize your operations.

Data protection compliance costs less than noncompliance

Smaller companies -- with fewer than 5,000 employees -- in particular may be hit hard by GDPR requirements and other data compliance hurdles. A new report does the math.

Research has shown that having a CISO can lower the cost of a data breach. But is there an effect on the cost of data protection compliance?

In many industries, the value of data is increasing, and so is the cost of protecting sensitive and confidential information. Regulatory scrutiny of information security is higher in industries such as financial services and healthcare, but that doesn't mean other companies are off the hook. In addition to PCI DSS, HIPAA and state data-breach notification and privacy laws, international businesses now face the European Union's General Data Protection Regulation (GDPR), which takes effect in May 2018.

Smaller companies -- with fewer than 5,000 employees -- in particular may be hit hard by data protection compliance costs. In a December 2017 report, "The True Cost of Compliance with Data Protection Regulations," the Ponemon Institute interviewed 237 functional leaders at 53 multinationals located in the United States and found that the average cost of compliance in fiscal year 2017 was $5.47 million, with companies allocating 14.3% of their IT budget to compliance spending. The average cost of noncompliance during the same 12-month period was $14.82 million.

According to researchers, key findings centered on six areas -- data security, enforcement, forensics and monitoring, program management, policy, and communications and training. Data security -- 63% of which was allocated to security technologies -- represented the highest average cost, at $2 million, and policy ranked the lowest, at just under $400,000.

The most difficult data-protection compliance to achieve, according to those surveyed, is with GDPR (90%), PCI DSS (55%), U.S. state laws (50%), HIPAA and the HiTech Act (39%) and the Sarbanes-Oxley Act (33%).

Business disruption represented the highest average cost at the companies surveyed, at $5 million, and fines and penalties were the lowest, at less than $2 million. As with any cost analysis, the devil is in the details; Jack Jones of the nonprofit FAIR Institute has complained that the information provided in the report is "a missed opportunity" and hard to decipher.

Data protection compliance is not the same as data security. However, according to the report, the cost of compliance is inversely related to the effectiveness of the company's security posture. In other words, organizations with a higher security effectiveness score -- or SES, a rating system based on Ponemon's proprietary methodology -- had a lower cost of compliance (and of noncompliance). Of the SES measures, a fully dedicated CISO topped the list.

This was last published in February 2018

Dig Deeper on Data security strategies and governance

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization separate the cost of compliance activities from security and risk management?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close