Retail sector struggles with regulatory compliance, despite £50m average spend, study shows

Tanium, provider of unified endpoint management and security software, today unveiled research showing despite retail businesses spending tens of millions on compliance, over 90% have fundamental IT weaknesses that leave them vulnerable and potentially non-compliant. After the decision by Britain’s Information Commission Officer to delay fines for breach of GDPR, this places a question mark over the future of data regulation enforcement.

The global study of 750 IT decision makers, including 99 respondents from the retail sector, revealed that retail organisations have spent on average £50 million each to comply with the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and other data privacy regulations annually. A majority of organisations have also hired new talent (87%), invested in workforce training (88%) and introduced new software or services (86%) to ensure continued compliance.

However, despite this increased investment, retail companies still feel unprepared to deal with the ambiguous regulatory landscape, with 41 percent claiming that fragmentation of the IT estate is the biggest barrier to maintaining compliance with GDPR.

Increased spending not solving visibility challenges

The study reveals that 60 percent of IT leaders in the retail industry said they find new endpoints on a weekly basis. Given the need for clear visibility and reporting to comply with data regulation, these widespread visibility gaps cast doubt on how GDPR and CCPA will be enforced.

The research also found that retail companies have implemented an average of 43 separate security and operations tools to manage their IT environments. Such sprawl likely further limits the effectiveness of already-siloed teams and creates unnecessary complexity.    

Chris Hodson, chief information security officer at Tanium, said: “While it’s encouraging to see global businesses investing to stay on the right side of data privacy regulations, our research suggests that their good work could be undermined by inattention to basic IT principles. Many organisations seem to have fallen into the trap of thinking that spending a considerable amount of money on GDPR and CCPA is enough to ensure compliance. Yet without true visibility and control of their IT assets, they’re leaving a backdoor open to malicious actors.”

“Technology leaders need to focus on the fundamentals of unified endpoint security and management to drive rapid incident response and improved decision making. The first step must be gaining real-time visibility of these endpoints, which is a crucial prerequisite to improved IT hygiene, effective risk management, and regulatory compliance.”