In Data Security and Privacy, Compliance Has a Scale Problem

By Matt Hartley, Co-Founder & Chief Product Officer, BreachRx

Technology Is Playing an Important Role in the Solution

When it comes to complying with data privacy and security regulations, compliance teams have a scale problem. Today, businesses face over 180 data privacy laws in over 120 countries, with more on the way. Not only is the volume of regulation growing, but it is also evolving. Countries like the United Kingdom are considering strengthening their data privacy and security laws by adding new provisions such as making privacy management programs a compliance requirement.

This problem is compounded by growing customer pressure for companies to shore up their data privacy and security programs. In addition to closely tracking regulation, compliance and legal teams now have to ensure the fulfillment of contract addenda as well.

In order to remain compliant with a dynamic regulatory and contractual environment, compliance teams need to scale. However, this can’t be done by continuing to just throw people and money at the problem. Already, privacy teams average 18 full or part-time staff members. In addition, legal departments are spending millions of dollars a year on outside counsel to augment in-house privacy compliance resources and knowledge. While outside counsel is a critical part of the equation, law firms also struggle to scale due to the scarcity of data privacy and security talent.

Incidents drive up these costs, and unfortunately, they are not infrequent. Teams can be juggling up to hundreds of minor incidents at any given moment, with nearly half (47%) also experiencing a major data breach simultaneously in the last year. With the average cost of a breach at $4.24M, the continuous cadence of incidents is draining organizations of time and resources.

When a privacy incident occurs (ranging from a lost laptop or misdirected email to a major data breach), over 70% of the costs of an incident are attributed to legal and compliance issues, compared to only 30% on security. However, historically, the lion’s share of technology investment has gone towards security technologies, rather than compliance technologies.

Today’s dynamic regulatory and contractual environment is demanding change. Compliance teams require technology to scale their teams. Tech can help support incident and regulatory response and compliance in three ways:

  1. Preparation – Compliance leaders can get ahead of regulatory enforcement by establishing streamlined workflows. Harnessing a technology platform as a workspace can centralize communications and help clearly assign and manage tasks (while protecting legal privilege). This workspace can also be the home of incident response and regulatory playbooks that dynamically update in tandem with changes in regulatory and contractual obligations, reducing the burden on the team’s time.
  2. Response – When data privacy and security incidents inevitably occur, the compliance team can use automated workflows in their tech platform to accelerate the response. This can help jumpstart the process and ensure the proper compliance with all requirements.
  3. Ongoing Management – Just as data privacy and security should be built into products by design, it should also be built into compliance and legal workflows by design. Using a centralized and integrated technology platform can enable measurement and tracking of privacy compliance in order to move teams to a more proactive posture. This measurement can also inform regulator notifications and enable board-level reporting and discussions that businesses desperately need today.


When examining technology solutions, compliance leaders should consider the following:


Data Privacy & Security Technology – Vendor Checklist
Category Requirement X
Legal & Risk  
  Is the vendor compliant with established industry standards and/or security frameworks?  
  Does the vendor have privacy policies and practices in place?  
  Does the vendor have established security program practices?  
  Does the vendor have an incident response program in place?  
  Has the vendor experienced a data breach in the last 5 years? If so, how many and of what severity?  
  Is the vendor covered by cyber insurance?  
Support Services  
  Will the vendor train appropriate personnel on privacy incident response and conduct tabletop exercises?  
  Will the vendor train appropriate personnel on product usage?  
  Will the vendor help onboard our organization and integrate with our existing program?  
  Will onboarding require internal resources or engineering hours?  
Product Capabilities  
  Does the vendor product offer workflow automation?  
  Does the vendor product align with regulatory best practices?  
  Does the vendor product dynamically update regulatory requirements?  
  Does the vendor product offer regulatory notifications for new updates?  
  Does the vendor product include a contract library?  
  Does the product enable real-time collaboration among users and departments?  
  Does the vendor product include reports & dashboards?  
  Does the vendor product allow for data customization in their user interface without coding changes?  
  Does the vendor product focus on legal protections?  
  Can the vendor product be tailored to our environment and regulatory requirements?  
Value Does the vendor product offer ROI relative to current activities?  


Increasing volumes of privacy regulations are raising the bar for compliance leaders. To reduce regulatory risk, compliance teams need to be able to scale to match the magnitude of their regulatory obligations. The right technology can augment teams and give them the scale they need to get ahead and turn incident and regulatory compliance from a crisis into a manageable business operation.

Hot Topics

Related Articles