Articles

Making the Business Case for Your Data Privacy Program

Written by Matt Davis, CIPM (IAPP) | May 29, 2024

Anybody whose responsibilities include privacy can relate: Most people vastly underestimate the complexity of data privacy compliance. And that’s if they understand why data privacy compliance matters at all. 

The result is small, under-resourced data privacy programs—or nonexistent ones. 

How can privacy professionals make the case for their data privacy program? These seven tips serve as an essential framework. 

7 tips when making the business case for your data privacy program 

1. Report on what matters to others 

Data privacy and security are often compared to one another—both are essential, both require investments that don’t directly generate ROI, both aim to protect, and so on. But a key difference between the two is that security is much easier to directly measure.  

Cybersecurity programs can evaluate the outcomes of phishing exercises, report on how many threats they’ve countered, count the number of vulnerabilities patched, and more. Data privacy programs, comparatively, have a more meager list of quantitative metrics to choose from—especially if your aim is to prove the value of a privacy program to internal stakeholders. 

That’s why it’s essential to report on those quantitative, internally persuasive metrics that do exist. Make sure to measure things like: 

  • The length of time that current privacy operations take, such as data subject access request (DSAR) fulfillment, vendor assessments, and the like. How much does that cost the business today, and how much more could the business save by investing in your data privacy program objectives? 
  • How many DSARs is the business receiving? Are they trending upward, and therefore require better tooling and/or more staff to handle? Are there trends in key regions where the business operates? Is the business fulfilling DSARs on time, or is it missing deadlines and inviting undue risk? 
  • How often does privacy come up in conversations with sales representatives? Even a few mentions here and there could signify a larger demand for privacy protection amongst your target audience. 
  • Are you measuring demand for privacy in voice-of-the-customer surveys? 
  • Do employees reference privacy in internal pulse surveys? 

This isn’t an exhaustive list, but these metrics demonstrate how privacy overlaps with other business goals. Drilling down into those areas of overlap will be key to persuading stakeholders to support your data privacy program. 

2. Keep tabs on and communicate the headlines  

Because privacy can be hard to measure quantitatively, doing so qualitatively can be a powerful persuasive tool. 

Any privacy professional should be keeping their finger on the pulse of the privacy industry. (Did we mention we have a newsletter that helps you do just that?) But it’s even more important to spread the news of major data privacy developments to your colleagues.  

There’s no shortage of news in Europe about major fines and penalties being levied out by data protection authorities. Enforcement in the U.S. is ramping up too, with the Sephora enforcement serving as a major wake-up call to California-based businesses. Other states will assuredly follow California’s lead and seek to show that their law has bite equal to its bark. 

These headlines can be powerful motivators.  

In the grand scheme of things, data privacy is a relatively recent phenomenon. Sure, the GDPR has been around for some time now, but many businesses, especially American ones, have never given a second thought to a law that doesn’t seemingly impact them—especially when businesses like Meta and Amazon have gotten mind-bogglingly rich with user data. 

If a business in your industry suffers a data breach exposing customer data and especially if that data breach revealed noncompliance with a relevant data privacy law, it can make data privacy compliance seem all the more real to your coworkers. 

We should note, however, that the goal isn’t to persuade through fear; it’s to provide an objective perspective into the nature of data privacy and the risks facing the business.  

3. Conduct a thorough discovery  

Do you actually understand your organization’s privacy posture, or do you just think that you do? 

If you don’t know what the actual level of risk is in your organization, where data is collected and how it flows through different systems, to whom it’s transferred, what technologies rely on user data, what processes are already in place, and so on, you won’t be able to pinpoint where you need improvement. And without that, you won’t be able to make the case for additional resourcing.  

If you haven’t recently conducted a data inventory/record of processing activity, now may be the perfect time. 

Leaders can’t have insight into every activity going on in the business; they need experts on their team to surface important issues to them. Often, leaders don’t seem to care about privacy because it’s out of sight—and therefore out of mind. 

4. Don’t go straight to the C-suite 

As part of a thorough discovery, it’s essential that you don’t go right to the top first when securing buy-in for your data privacy program. Eventually you’ll need the buy-in of your organizations’ leadership, but it shouldn’t be the first thing you seek.  

Instead, you should approach individuals that sit a level or two below any given leader. As an example, rather than talking to the Chief Product Officer, the Head of Engineering might be a better person to talk to first. These individuals may have more time to spare, and they may be more inclined to frame your conversation in terms of discovery rather than decision-making. More to the point, they’ll be better able to identify stumbling blocks, privacy-adjacent activities they oversee, risks, goals, and so on. 

Armed with this information and hopefully with this individual’s support, you’ll be in a much stronger position when you do go to the C-suite and make your pitch. 

5. Target the blockers...  

Unless they’re already in the privacy world in some way, most people don’t get too passionate about data privacy compliance. 

That’s okay, you can work with that—the real issue is when people are hostile to data privacy. Since most people feel neutral on privacy, blockers can be real momentum killers. 

Usually, blockers to your program will either be concerned about the financial impact on the business as a whole or the impact compliance will have on their ability to do their job. The former is often easier to assuage, as the cost of noncompliance can be a multimillion dollar fine. The latter is a bit trickier. 

Often, the latter group is the marketing team. Marketing experts get worried that asking website visitors for data collection consent will interfere with their ability to analyze their audience.  

If they’re not persuaded by the fact that it’s the law, then you might have more luck expressing how every business in your jurisdiction will have data collection consent banners on their website, and that it’ll be an experience that website visitors expect to have. Or, you could highlight the fact that people who opt out of data collection are less likely to be potential leads—they’re signaling their disinterest straightaway, so why waste effort targeting those disinterested individuals with ads and emails? 

Even if your biggest opponent isn’t a marketer, they probably handle a lot of personal information in one way or another. These individuals are excellent people to talk to about recent enforcement actions, the particulars of the law, and the importance of data privacy as a right. They’re the owners of risky processes—they just might not realize the scope of that risk until you communicate it. 

6.  … And turn them into champions 

If your biggest blockers are the individuals who handle the most personal information in an organization, then they also need to be the most onboard with your privacy program once it’s up and running. After all, you’ll likely be asking for their collaboration during privacy impact assessments, DSAR fulfillment, and the like. 

That's why these individuals shouldn’t just be passive non-obstructionists; they should care the most about data privacy! Marketing, HR, developers—working with personal information makes up a big part of how these people do their jobs. If they understand the risk created by personal information, the rights that need to be respected, and how it all translates into business and customer outcomes, they’ll be the biggest advocates for implementing a data privacy program that truly works. 

7. Most importantly, define your goals and needs 

Most of the tips in this article have focused on persuading the powers that be into caring more about your data privacy program. But what do you actually want and need? 

Convincing others that data privacy is important is all well and good, but this buy-in needs to be translated into tangible outcomes. Do you need an across-the-board budget increase? Will that budget be used for additional staff? For new tools? Do you need somebody to take on less important responsibilities so you can focus on the privacy program? Where are your gaps, and how will you plug them? 

The process of identifying your wants and needs can be a journey in and of itself, so it’s important to start early. If you already know that a data privacy platform should be a feature of your program, then we can help. We offer a free scorecard for consent management platforms (CMPs) you can use to gauge whether one solution or the other is a good fit for your business. And of course, if you’re curious about data privacy solutions in addition to or beyond consent management, you can always schedule a demo with an Osano expert for a full tour of the Osano platform.