Why privacy investments are now seeing some impressive returns

Privacy investments have long been thought of by business leaders as primarily a cost-centre, however new research suggests there are some serious ROIs to be had out of bolstering your privacy profile.

When many organisations think of privacy and regulations such as GDPR and California's recent CCPA, a knee jerk reaction may be one of dread and headache-inducing stress. For all of the drum beating that GDPR brought with it way back in 2016 and with CCPA putting the nail in the regulatory coffin, many firms still opted to do just the bare minimum, thinking that the institution of the necessary data-shielding practices was, above all else, just way too expensive.

Coming at the issue from a business perspective, this really is fair enough. Many organisations just didn't know what to make of this new global focus on privacy and getting firms up to speed was costly, stressful, and time consuming. To top it off, there was an overarching question of whether these practices - apart from protecting customer/consumer data and raising awareness of rights - provided any overall benefits to businesses.

Generally speaking, we have come to know compliance as nothing but a cost-center, taking precious capital away from the areas of the business that really need it. This is especially true for those firms that are data-centric, with a strong focus on the commercialisation of PII.

However, there is new research to suggest that investments in realigning a business for privacy might not be dead money after all, in fact, they actually might translate to some solid ROIs. Networking giant Cisco has released its latest ‘Data Privacy Benchmark Study', which surveyed over 2800 security professionals across 13 countries on their company's privacy investments.

The report found that, for the first time, privacy investments were paying off for organisations across the board, with the majority of firms seeing very positive returns. In fact, organisations, on average, received benefits of 2.7 times their investments, with more than 40% seeing benefits that are at least twice that of their privacy spend.

This then raises the question of whether we need a fundamental change of mindset when it comes to bolstering privacy expenditure. It has certainly been difficult for privacy and security professionals to make a case for increased privacy-focused cashflow to business leadership, as they are often seen as providing little business benefit. However, if those business leaders can be convinced that such investment will actually make them money, beyond even as just an insurance policy against data-breach costs and fines, they might be more inclined to listen.

Privacy actually profitable?

You might think that all of the benefits a firm could muster from bolstering their privacy investments would be achieved as a result of… not getting fined. It's true that things like GDPR have underpinned some high-profile fines, and any mitigation from data breaches has led to some forceful payouts.

However this is only one part of the picture and focusing wholeheartedly on the punitive aspects of GDPR compliance can result in firms missing out on what are some tangible benefits. According to the Cisco report, 70% of organisations (up from 40% last year) now say they receive significant business benefits from privacy efforts beyond compliance, including better agility, increased competitive advantage, and even improved attractiveness to investors.

Bolstering privacy measures also reap rewards that hold even greater value than those attained from just compliance, including mitigating losses from data breaches, achieving operational efficiency from data controls, and building brand trust and loyalty amongst customers.

That last benefit is a significant one according to Cisco, as both customers and partners become increasingly aware of the importance of a solid privacy posture, while increasingly holding private firms to account. This is especially true for technology vendors.

"Generally speaking, if you build a technology product which captures personal data, you need to build privacy requirements into it if you want to sell it," says Lorena Marciano, EMEAR Data Protection and Privacy Officer for Cisco.

"More customers are asking how their data is used and protected when purchasing connected devices and systems. For a business, being unable to answer these questions undermines, complicates, and delays the sales process. Therefore, there is a direct link between investing in a data privacy framework and sales success.

"I compare this to buying food at the supermarket and looking at the nutritional label to make sure you're not buying anything unhealthy or bad for you. The same applies to technology purchases. You look at things like the power and network requirements of a product, so why would you not look at its data privacy, protection and security protocols?"

The conversation around brand loyalty and the damage privacy ambivalence can cause here is backed up by a recent study by payment security firm PCI Pal, which found the buying decisions of US and UK respondents is affected by whether that company has suffered a public data breach. 62% of Americans said they would refrain from spending at a breached company for several months following an attack (compared to 44% of Brits), while 41% of UK respondents indicated that they would stop frequenting a brand forever after a breach (compared to 22% of US respondents).

Digging deeper into benefits

Perhaps an obvious side benefit for investing in privacy is that the act of protecting certain data almost has to go hand in hand with a marked improvement in overall cybersecurity posture. As Forbes points out, aligning a business to be proactive and efficient when it comes to privacy can often involve establishing thorough control over the entire IT infrastructure, with the development of healthier data protection workflows, and the streamlining of security monitoring.

Thus, privacy investments also tend to make internal systems more robust. Before GDPR, this was perhaps the main fiscal reason that an organisation would want to improve their privacy and data security investments, as doing so would mean that you would be able to avoid a data breach or systems attack in the first place, noting all the costs that are associated with that. Although this is especially prevalent in the modern age, as the average cost of a data breach has now risen to (USD) $3.92 million, according to IBM.

Another benefit comes about as a result of making privacy-focused changes to the way your data is indexed and organised. As Index Engines founder Tim Williams writes on LinkedIn,  If a firm ensures that its data is stored, organised, and classified correctly, while removing dark and ROT (redundant, outdated, and trivial) data, and improving archival procedures, the result is an effective streamlining and ‘de-siloing' of that company's data centres. This has a range of knock-on benefits including an enhanced ability to respond to regulatory requests (such as requests for information), and even more useful customer/CRM data - thus directly affecting sales.

That's not the only way that sales can be improved by privacy investment though, as the Cisco study identified a reduction in sales delays for organisations that showed more maturity in their privacy posture. These interruptions have arisen as privacy concerns amongst customers have become increasingly pronounced. The delays are typically caused when customers want to know what data is captured in a company's product or service, how the data is stored and transferred, and who has access to it. Cisco says the average delay was around 4.2 weeks, with more privacy adept companies beating out the box-tickers.

"Investing in privacy improves is fundamental to the sales process. Not doing so and being unable to prove your products' privacy credentials to potential customers can delay the sale by up to three times," Marciano says.

"Increasingly, a failure to invest appropriately in data privacy can mean you lose sales. Customers are more aware of their privacy than ever before, so it is an area which is facing more scrutiny than ever before."

An additional revenue-related consideration for privacy investments, according to Cisco, is related to the value of privacy certifications in the buying process. There are a range of different certifications and accreditations organisations can attain from regulatory bodies as a result of being privacy-efficient, and these are becoming increasingly important consideration when firms are selecting third-party vendors. Cisco found that 82% of organisations indicated that such certifications are a buying factor when selecting a vendor or product.

Some of these certifications include ISO 27701 (a privacy extension for ISO 27001), EU/Swiss-U.S. Privacy Shield (a legal mechanism for transferring data to the U.S.), APEC Cross-Border Privacy Rules (demonstrating compliance with the APEC privacy framework and enabling international data transfers), and EU Binding Corporate Rules (demonstrating adherence to EU standards and enabling global intracompany data transfers).

Rethinking privacy programs

While it is now clear that privacy investments can deliver real and meaningful returns for organisations, there is still a perception - notably among upper management and business leadership - that privacy spend is dead money and the procedures put in place limit or inhibit innovation.

A 2019 Forrester report indicated that business leaders still view privacy programs warily and as threats to growth and innovation. It asserts that businesses, who are often focused on short term quarter on quarter revenue growth, aren't as prepared to go beyond the bare minimum on privacy investment, noting their considerable upfront costs and benefits that don't come through until later on.

To combat this perception, Forrester applied its Total Economic Impact framework to illustrate the extent to which privacy provides ROI. It found that for a privacy investment of just over 24 million, the benefits reaped would be approximately 27 million, meaning after one year of privacy investments, the ROI would be just under $3 million. This adjusts to 17% ROI on a $72.3 million investment over three years, meaning an extra 10.55 million was in the pocket. 

Forrester's findings, it says, arm privacy professionals and specifically chief privacy officers (CPOs) with a compelling business case to elevate privacy within their organisations. It says this is an important factor, as privacy programs simply don't work without the support of primary stakeholders. The report compels organisations to go beyond simply meeting compliance and instead think about how it can be used to carve out competitive differentiation, facilitated with the appropriate sign-offs and budget approvals from stakeholders.

Cisco also echoes the necessity for getting wider business support, as Marciano explains in relation to the data privacy benchmark study.

"We hope this study will inspire companies to take a more proactive approach towards data privacy. The advice I would give to businesses is three-fold. First, gain C-Level support on this issue. Privacy is a fundamental right that must be protected at all costs, making it a boardroom-level issue." 

"Secondly, invest in making privacy part of your company's DNA - baking it into every stage of developing tools, products and systems. Finally, make privacy work for everyone. Sometimes data privacy policies can only be understood by lawyers, when they need to be accessible to all employees within an organisation.

"This can only be done through investing in internal communications, training and skills development around data privacy."