The average cost of achieving compliance has been found to be more than £2 million, while the cost of non-compliance is almost £6 million.
Research by the Ponemon Institute and Tripwire to estimate the costs associated with an organisation's compliance efforts, evaluated the economic impact of non-compliance and if it exceeds the spend on enterprise compliance initiatives.
It found that data protection and enforcement activities ranked among the most expensive compliance activities, while business disruption and loss of productivity were found to be the most significant consequences for companies that did not achieve or maintain compliance.
When addressing external compliance, PCI DSS, state privacy and data protection laws, the European Union Privacy Directive and Sarbanes-Oxley were named as the main drivers for investment in compliance and also among the most difficult requirements to comply with.
In terms of allocating budget to managing the cost of compliance, the areas of considerable spend include complying with laws and regulations (£1 million), addressing internal policies and procedures (£750,000) and funding contractual agreements with partners, vendors and data protection authorities (£355,000).
Rekha Shenoy, vice president of marketing at Tripwire, said: “Organisations today are confronted by a growing number of compliance challenges and it can be extremely difficult from a resource perspective to address these concurrently.
“However, businesses that invest in continuous monitoring and conduct frequent audits can drastically reduce the business and financial consequences associated with non-compliance.”
Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, said: “Businesses are aware that compliance efforts often require a significant investment, but our report supports the value of making that investment versus remaining non-compliant with data protection regulations.
“It is our hope that, by assigning a value to the risk associated with non-compliance, we will help IT security and compliance professionals make a more compelling case for bringing their organisations in line with best practices for data protection.”