Compliance or noncompliance, that is the question. Is it an economically sound strategy to spend the necessary resources to remain compliant with regulations that affect your business or market sector? Or is it better to roll the dice and hope that your company will never be called upon to demonstrate the degree to which it followed regulatory guidelines?
Choosing to comply with data privacy or retention policies that are enforced by governmental or other third-party entities may seem like an avoidable expense to some decision-makers. They might surmise that the odds of being held accountable for noncompliance are low and the immediate savings are worth a gamble. The evidence suggests that taking that approach is shortsighted and can have dire consequences for organizations that adopt it.
The Cost of Compliance
Companies that elect to comply with regulations aimed at their business need to be prepared to deploy the right resources. This involves a mix of people, processes, and technology to address the specific standards with which they need to comply.
We are going to look at the European Union’s General Data Protection Regulations (GDPR) to illustrate the various factors that add to the cost of compliance and the penalties that are used for enforcement. Any company that conducts business with EU citizens needs to comply with the standards defined in the GDPR. The same general structure can be used by organizations to comply with different sets of regulations that may affect them.
Compliance costs incorporate all of the various expenses that are required to keep an enterprise compliant with the regulations that apply to their business. There are multiple aspects of a compliance initiative that need to be considered when determining an initial budget for the project.
- The cost of compliance needs to take into account the salaries of the individuals who are responsible for implementing the program as well as the systems and tools necessary to implement it.
- Compliance is an ongoing effort that will evolve as regulations change. It requires staying abreast of changes to standards and modifying internal processes appropriately.
- Costs will increase as a company expands to address the regulations that affect customers and entities in different global jurisdictions.
The scope of data that is collected by an organization and whether they are data controllers or processors can influence the cost of compliance. The GDPR puts greater emphasis on the data protection afforded by controllers. A company acting as a data controller should take additional measures to ensure they are complying with the regulations.
Paying the Price for Noncompliance
The precise cost of compliance is hard to determine. Numerous variables make it difficult to put an exact number on the financial expenditures and employee hours required to conform to regulations. It can be easier to identify the cost of non-compliance, at least from the perspective of immediate financial penalties.
GDPR allows for multiple fine levels and other disciplinary actions to be taken based on the severity of the regulatory infringement. In addition to monetary penalties, organizations that fun afoul of the regulations can be subject to:
- Warnings and reprimands;
- Permanent or temporary bans on data processing;
- Suspension of data transfers to third countries;
- Orders to rectify issues with data which may include its erasure.
Financial penalties are categorized as being either of a lower or higher level based on which GDPR privacy regulation has been broken.
Lower level penalties can be addressed with fines from up to 10 million euros or 2% of annual global turnover, whichever is greater. Some of the violations that are considered lower-level include infractions of articles defining:
- Conditions for children’s consent;
- General data processing and controlling obligations;
- Certification and certification bodies.
Higher-level penalties can bring fines that equal the greater of up to 20 million euros or 4% of global turnover. These fines are enforced for infringement of GDPR articles such as:
- Lawfulness of processing;
- Conditions for consent;
- Data subjects’ rights;
- Data transfer to third countries.
These are only the financial penalties that accompany a data breach found to have violated GDPR regulations. The cost of negative public relations and lost business can greatly exceed the initial fines. Customers are more concerned with data privacy than ever before and will find an alternative solution to organizations that do not take the protection of sensitive data seriously.
Compliance is the Better Option
Neither compliance nor non-compliance is an inexpensive option. One of the biggest factors that make compliance appear to be the better choice is the non-financial and undeterminable ramifications of failing to comply with regulations that directly affect your customers. A company can recover from even a substantial fine. The loss of its customer base due to its failure to protect private information can be devastating.
In SQL Server environments, a tool like IDERA’s SQL Compliance Manager can help your database team ensure that sensitive information is well-protected. The application enables the team to audit SQL Server databases to identify data that needs to be protected. Access to data resources can be monitored and logged with alerts generated to control privileged database activity. Powerful reporting functionality enables an enterprise to demonstrate compliance and produce evidence for external audit teams.
The potential downside of noncompliance should convince most decision-makers that it’s not worth taking the risk. Even though implementing compliance is a complex and expensive strategy, it pales in comparison to the expenses involved in cleaning up after a data breach. Do the right thing and protect the sensitive data in your databases. Everyone from your customers to employees will benefit in the long run.