Recent research conducted by Hornetsecurity has revealed that compliance with data-protection requirements has become an increasingly burdensome task for IT departments. The study, which surveyed IT leaders in approximately 200 organizations, found that 80% of organizations are more concerned about compliance than they were five years ago. However, the responsibility to maintain a sufficient level of compliance falls on the IT department in over half of businesses.
The survey also discovered that a significant number of organizations lack a dedicated compliance officer, with 37.5% of respondents indicating that their organization did not have one in place. Additionally, 69% of participants stated that compliance has a moderate to extreme impact on their IT department’s operations. Alarmingly, 13% of companies were unable to confirm whether they were compliant with required controls, due to a lack of resources.
This research suggests that compliance is seen as a hindrance rather than a risk management enabler. Many organizations offload the task of compliance to their IT departments, regardless of whether they are equipped to handle it. This situation has raised concerns among industry experts.
CEO of Hornetsecurity, Daniel Hofmann, expressed his concerns about the burden being placed on IT departments due to a lack of compliance staff and policies. He stated, “The fact that more than half of companies are hindering the day-to-day work of IT departments through lack of compliance staff and policies is a huge concern.”
Andy Syrewicz, technical evangelist at Hornetsecurity, believes that there is a negative perception of the compliance burden, not only at the technology level but also in most businesses. Many organizations view compliance as a necessary cost of doing business, similar to taxes. However, the heavy burden of compliance is increasingly falling on IT teams, and businesses are searching for ways to address this issue.
Rowenna Fielding, director of Miss IG Geek, explained the significant impact that the General Data Protection Regulation (GDPR) has had on businesses. She stated that the Accountability Principle of the GDPR required organizations to demonstrate with evidence that they are upholding data-protection principles. This requirement exposed the compliance debt that many organizations had been carrying and necessitated substantial changes to meet the more stringent standards.
Fielding drew parallels with health and safety laws and consumer rights regulations, highlighting how these safeguards are often seen as burdens instead of responsibilities by some business decision-makers. She emphasized the importance of business leaders implementing clear and realistic strategies and facilities for compliance, treating it as a responsibility rather than a burden.
Regarding the responsibility for compliance falling on IT departments, Fielding warned that this approach is a recipe for disaster. IT’s role should be to ensure that IT equipment and services enable compliance obligations, not to act as the sole overseer of compliance for the entire organization. Each business unit should determine their own operational parameters within the organization’s strategy and implement the relevant compliance requirements.
Fielding argued that the responsibility for compliance should be spread throughout the organization, starting from the top. Senior management should provide the rest of the organization with guidance, resources, and support to meet legal, contractual, and business obligations. However, she noted that often, top-level management assumes that compliance can be achieved simply by issuing directives and threatening punishment for noncompliance. This approach neither incentivizes compliance nor provides adequate resources for achieving it. Fielding stressed the need to build and maintain a culture that enables compliance rather than scapegoating junior employees for noncompliance.
In conclusion, the research highlights the growing burden that compliance with data-protection requirements places on IT departments. It emphasizes the need for organizations to take a more holistic approach to compliance, spreading the responsibility throughout the organization and creating a culture that encourages and supports compliance efforts.