Data Privacy Legislation is Driving Compliance

An increasingly robust set of data-privacy laws backed by active regulators is driving governments and private-sector groups alike to invest significantly in data protection or face financial penalties, business disruption, and public censure.

The chief concern for compliance and security teams is changing regulations across various geographies – cities, states, and countries. If multi-state and country businesses thought at the start of 2023 complying with a patchwork of U.S. state privacy laws was going to be a lot of work, now they’re overwhelmed.

In 2023 alone, the number of US states with comprehensive privacy laws went from five to eleven. And Delaware is awaiting their governor’s signature to become the twelfth. Despite the business community’s interest in an all-encompassing federal data privacy law, such a development remains elusive. 

Understanding the evolving regulatory landscape and their applications in a more dynamic way such that it’s not disruptive to engineering is nearly impossible. Many of the CISOs I’ve spoken with dedicate 1-2 hours per day getting up-to-speed on these changes by talking to their lawyers, reading compliance blogs, and engaging other CISOs.

As an example of the random additions in key jurisdictions, California recently drafted risk assessment regulations that would force companies to determine risk before collecting any personal data and show how they would mitigate any significant risks. 

The cost of non-compliance is now 3x higher than the cost of compliance through implementing governance and compliance frameworks and solutions. 

According to Soumendra Mohanty, chief innovation officer and chief strategy officer of data analytics company, Tredence, “The cost of non-compliance is massive from both a financial and reputational perspective. It can cost companies up to nearly $31 million to maintain compliance, depending on the industry, yet non-compliance can quickly double those numbers,”.