Building a business case for Data Discovery: What to consider


Data Discovery is like installing a Google Search Engine in your organisation’s data estate. It enables data-centric teams across Governance, Risk & Compliance, Information Security, and Digital IT Ops to find, classify and act on specific information across data sources quickly. This makes previously buried unstructured information stored across the business visible and searchable from a single location.

Though whilst the applications for data discovery within a business are varied and numerous, it is still a relatively new concept for many. So, when a CISO, CIO, Head of Governance or an equivalent role wants to roll-out a discovery programme, they often wonder how to build a business case and gain traction internally for this new project.

Of course, the business case and ROI for such a program will differ depending on the organisation and use case, but here are some factors to consider:

The cost of doing nothing: GDPR fines

First, let’s look at the financial repercussions of GDPR violations. Fines can be issued via the ICO up to €20m or 4% of global revenues, though, as we know GDPR fines are discretionary rather than mandatory and are imposed on a case-by-case basis. Whether a fine is issued, and the value of this fine, is impacted by factors such as the action the company took to reduce the damage to individuals, the security measures in place and the types of personal data involved 1. This is a fairly simple equation that flirts with awareness, response and knowledge as a trade-off against regulation. It is well documented that organisations who know about the risks in their data, but do not take appropriate measures to rectify it can be an “aggravating factor” in increasing the size of the fine 2.

The most frequently compromised type of data, found in around 80% of all breaches and holding the most expensive cost per record at an average of $150 is personally identifiable information (PII) 3. Having a tool like Data Discovery unfortunately can’t reduce the probability that a data breach occurs, but it can ensure that the business is equipped to identify over-retained and misplaced PII across the organisation to drastically reduce the likelihood of a fine being issued and/or the fine amount.

So, how can you start to think about putting a figure on the cost of risk when building your business case? You can start by considering the amount of data, and specifically unstructured data and PII in your estate. To help, we’ve built a Cost of Risk Calculator which you can use for free on our website here.

The cost of doing nothing: Reputational fallout

Whilst GDPR fines can be substantial, the wider operational and reputational repercussions of a data breach can have a longer lasting impact than the short-term fine. In fact, IBM 3 calculates the average cost of a UK data breach to cost a business $3.9M and take as much as 256 days to identify and contain. And if you’re company happens to be well-known in the general public you can expect to see all details of the breach to be shared under the media spotlight. In this case, over-retained PII may be the last of your worries as employee email exchanges and sensitive financial information may also be publicly available for scrutiny (think back to the 2014 Sony Pictures Hack and many others).

Though reputational damage is considered one of the biggest risks to an organisation (in fact Risk Managers globally ranked it as the second biggest risk in 2019 4, quantifying it is trickier. But you can be sure that reputational damage can cause substantial and sustained financial fall-out, with companies taking immediate hits to their share price (Capital One reported a 6% loss in share price following their breach 4 as well as showing falls of up to 25% in market value over the following years 5. Breaches can also have direct impact on customer trust with one of the UK’s highest profile cyber-attacks at TalkTalk resulting in the loss of 100,000 customers 6.

Save on storage costs

Many organisations might look at a Privacy or Security discovery projects as a sunk cost on single point project, not only overlooking the two points above but also ignoring other benefits that can come from truly understanding their data estates. One of which is storage cost savings. Up to 80% of organisational data is unstructured, and 58% of that is thought to be over-retained information.

Think about the benefit to IT Operations is they could reduce their storage overheads by that amount (think infrastructure, bandwidth, redundancy, people, management!). Having a spring clean of your data estate not only enables you to save costs, but also to boost compliance and remove barriers to employees finding correct information.

Wondering how much storage costs your organisation could save? Use our free Data Storage Reduction Calculator on our website here.

Gain brand trust and competitive advantage through tightened privacy

It’s fast becoming a reality that organisations and consumers are choosing companies to work with and buy from who can demonstrate good cyber and information governance baked into their capabilities. Frameworks like NIST, ISO27001, ISO/IEC27701:2019 (the Privacy extension for ISO 27001) alongside the growing popularity within the UK for Cyber Essentials and Cyber Essentials+ shows a growing recognition of the need to govern, manage and protect organisational information.

To win customers and gain competitive advantage, organisations should consider how software such as Data Discovery enables them to meet their obligations to enforce sound data protection and operate on privacy by design.

For more data discovery resources, just click here! Exonar Data Discovery Guides