Most of us security consultants are well aware that security and risk management has cost implications for any industry. Numerous times decision makers and upper management of organizations have to do a cost benefit analysis before investing in to a security program. Besides cost of brand image loss, management has to consider two opposing costs to decide whether to invest in a security program or not. On one side is the benefits which can be realised by limiting security controls. One the other side are the potential costs which the organization might be forced to bear because of non-compliance.This paper presents a scenario for comparing the costs of adopting a DPA compliance program vis-├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝Ôö£ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼├¡-vis the costs of non-compliance. Following is a compilation of all the penalties which have been imposed under the umbrella of DPA.The ICO holds the judicial responsibility to ensure corporates comply with DPA. The ICO has following penalties under its sleeve to ensure the same.1. Monetary penalties2. Criminal Prosecution3. Undertakings and commitments from organizations4. Non-Criminal Enforcement notices5. Authority to Audit6. Search warrantSince 2010, when ICO was formally granted the power to issue penalties, DPA non-compliance monetary penalties statistics are as below.The ICO has selected four sectors as priority areas, to enforce and monitor information compliance. The sectors are:HealthCriminal justiceLocal governmentOnline and mobile servicesThe three top ranking incidents in terms of penalties by ICO have been following:1. Marketing communications (calls/texts etc.) leading to vulnerable potential customers tricked into a sale2. Leakage of sensitive data, intentionally or unintentionally3. Exposed vulnerabilities in companyÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣s systems which allow attackers to access sensitive dataBased on the above two lists, management can decide to do an initial assessment and take a call whether to invest in a compliance program or not. The assessment would need to find out if the organization has business processes which fall under any of the high ranking DPA violations, which have been penalised. It has to be noted that there are incidents outside the top ranking ones, which have attracted high value penalties as well.The most pertinent evaluation to decide whether to invest on a security and risk program is however done in following lines. Let us take an example that a financial services company is to decide whether to invest in a DPA compliance program. The initial drivers which make the management consider such a program are brand value, large corporate customersÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣ demand for regulation compliance and even management goals. Then each business function presents its case as to what are the benefits of accepting the risk rather than remediating them. For example, recovery agents in a financial services company would prefer to have all historical data beyond data retention periods as mandated by DPA compliance. Their argument would be that such data would allow them to investigate fraudulent activities based on historical data mining and provide them option to expand recoveries and directly improve the bottom line of the company. In such a case the management has to compare the estimated recoveries which could be made against the monetary penalties which a company would be faced with for non-compliance. It is at this point, where a consultant needs to provide insights with numbers based on industry research as well as the companyÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬ú├ö├▓├╣s research as to how penalties due to non-compliance risk can outweigh monetary benefits out of the mentioned recoveries. Based on historical data, non-compliance with DPA can lead to fines of ├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£ÔûôÔö£┬¬350,000 to ├ö├Â┬úÔö£├é├ö├Â┬úÔö£├®├ö├Â┬╝├ö├▓├ÿÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£ÔûôÔö£┬¬500,000 directly by ICO even before leading to higher penalties by UK judicial system.