The True Research Compliance Cost: What Non-Compliance Really Means for Institutions
- Vafa Javadova
- Jan 14
- 5 min read
All parts of life have laws and guidelines that must be followed, and research is no different. Regulatory agencies are raising the bar for data protection, ethical behavior, and transparency. However, many research teams continue to underestimate the costs of non-compliance despite a rise in regulatory requirements.
Regulatory Bodies in Canada
Canada has multiple regulatory bodies whose rules affect privacy and ethics when conducting research.
For instance, many research projects rely on funding from the Tri-Agency Council (CIHR, NSERC, SSHRC). These agencies do not merely provide resources, they also establish the mandatory data-management, ethics, and research standards that grantees must follow. Under the Tri-Agency Research Data Management Policy, institutions that are eligible for their funding are required to adopt a formal Research Data Management (RDM) strategy.
In effect, receiving Tri-Agency funds means that you are in a binding requirement in which non-compliance can jeopardize your current and future funding.
Additionally, the Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s privacy law that outlines how businesses can and cannot collect, use, and share personal data. For researchers, this means:
Data must be collected with explicit, informed consent
Participants need to be told how their data will be used
Data is expected to be securely stored and access-controlled
There is also Canada’s Responsible Conduct of Research (RCR) Framework that requires researchers to maintain accurate records, use data responsibly, manage collaborations ethically, and guarantee appropriate data stewardship. Violations may result in investigations, grant suspensions, and penalties. This makes the compliance environment more significant than it has ever been.
HIPAA (United States)/PHIPA (Canada)
The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. federal law that regulates the handling, storage, and sharing of protected health information. This applies to any data linked to identifiable individuals, such as clinical data and medical records. HIPAA violations can occur when data is improperly stored, shared without authorization, or accessed without proper controls.
While Canada doesn't have a single law identical to HIPAA, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) acts as the broad equivalent for private businesses. Provinces such as Ontario however have their own stricter health laws like Personal Health Information Protection Act (PHIPA), which is more directly comparable to HIPAA for health information. The PHIPA legislation mandates the protection of personal health data, requiring the information to be accurate and up to date.
Depending on the nature of the research other regulatory frameworks may also apply. These include 21 CFR Part 11 for clinical research, NIST SP800-171 for Controlled Unclassified Information (CUI) in non-federal systems, as well as various jurisdictional data privacy regulations.
GDPR (European Union)
The General Data Protection Regulation (GDPR) is Europe’s data privacy law that imposes strict rules for collecting, processing, and storing personal data. For research teams, GDPR requires explicit consent, strong security measures, and demonstrable documentation of data handling procedures. As well, it gives individuals the right to demand the erasure of their personal data from certain organizations.
It also states that any studies involving EU residents must meet these regulations, even if the research teams aren’t based in Europe. For example, a Canadian research team obtaining data from an EU resident will still be held accountable for complying with GDPR.
These jurisdictional nuances must be well understood very early in the project lifecycle. Indeed, it’s the author’s view that this understanding must be incorporated into the Data Management Plan (DMP) that is submitted to their IRB/REB for protocol review and approval.
Looking Beyond Major Frameworks
Researchers must also navigate procedural and consent-related requirements, including but not limited to:
Documentation of informed consent
Verified ethics board approvals
Secure storage and access controls regarding data
Timely reporting of protocol changes
Transparent data-handling plans
The Effect of Non-Compliance on Institutions
Regulatory bodies hold the power to penalize research-related breaches. This applies to academic institutions, public as well as private companies, and PIs.
Some notable examples include:
HIPAA Violations:
In 2018, the University of Texas MD Anderson Cancer Center was fined $4.3 million USD after failing to encrypt research devices containing patient data.
PHIPA Violations:
In 2020, LifeLabs reached a $9.8 million CAD Canada-wide settlement due to a data breach that exposed the personal health data of around 15 million customers.
As these two examples suggest, the cost of non-compliance isn't merely a few dollars; it can cost institutions millions of dollars. According to a study conducted by Ponemon Institute LLC, the average cost of non-compliance is $14.82 million per organization, including the costs of penalties, settlements, and consulting fees.
Money Cannot Fix a Reputation
Though fines can be paid and settlements reached, the reputational damage that happens to a researcher or institution due to non-compliance cannot always be repaired.
Consequences include:
Damaged credibility and trust
Loss of partnerships
Withdrawal of funding
Negative media exposure
Long-term declines in institutional prestige.
Research thrives on trust. Once this trust is compromised, rebuilding it can take years.
The Role of Modern Research Infrastructure
Given the severity of compliance risks, a contemporary Research Administration & Research Data Management (RDM) platform is needed.
This platform must support:
Strong Data Governance - secure storage, role-based access control, and audit logs
Consent Compliance - support for documentation of consent and approved IRB/REB protocols
Global Collaboration - secure global access and permission controls that reduce the friction of collaboration but complies with global regulatory control requirements
Ethics Integration - support for robust IRB/REB ethics submissions, review and approval processes and easy retrievals for audits
Final Thoughts
The costs of non-compliance are rising, with real-world fines, operational disruptions, and practically irreversible reputational damage growing more severe each year.
Modern infrastructure like myLaminin addresses compliance challenges through a platform built specifically for modern research governance.
myLaminin supports:
Data Security
Secures data through web3 and blockchain protections.
FAIR and Open Science Compliance
Built-in workspaces to ensure publishing follows FAIR and Open Science Principles through myLaminin’s Open Science Search.
Trusted Repository Publishing
Allows publishing on myLaminin and has direct pathways to Harvard Dataverse, Borealis, and institutional repositories.
Ethical Research Management
Centralized storage of consent forms, protocols, and other data in compliance with ethical standards.
Cross-Jurisdictional Collaboration
Secure collaboration for inter-disciplinary and cross-jurisdictional research teams spanning several continents.
In fact, myLaminin has a “Cost of Non-Compliance Calculator” allowing you to assess if your management of research data is meeting legal and ethical obligations. In under 7 minutes, you will be able to discover your cost of non-compliance and get recommendations on how to meet the appropriate legal and ethical obligations!
Sources:
https://www.globalscape.com/news/2017/12/12/globalscape-inc-and-ponemon-study-finds-data-protection-non-compliance-expenses-45?
__________________________________
Vafa Javadova (article author) is a myLaminin intern studying Management and Organizational Studies (BMOS) at Western University.
