If you think compliance is expensive, try non-compliance.
In today's data-heavy environment, being compliant in every aspect of a company's business is vital. Especially talking data processing and information security.
In the EU, this has primarily been made obligatory through the General Data Protection Regulation (GDPR), and similar data protection regulations are apparent in other parts of the world. Regulations like GDPR require that companies uphold different obligations such as a continually updated Data Protection Addendum and agreement between a Data Processor and Data Controller, stating and regulating on what legal basis data is processed, etc.