“There is only one amount of money—just not enough,” author Andrew Kaufman once wrote. Many departments in an organization feel the financial pinch, especially privacy teams, who face the challenge of completing herculean tasks on a small budget. Privacy budgets tend to be microscopic compared to those of security or IT/infosec teams. Thus, critical privacy activities such as incident response often get lower budgetary priority than new cybersecurity initiatives—and when that happens, the entire organization is at risk.
Recent IAPP and TrustArc research on privacy technology spend and deployment found that “budget is the largest reported barrier to adoption [and] essentially, if [organizations have] budget, they’re in the market.”
The GDPR and your privacy budget
With the threat of GDPR fines looming, privacy budgets did increase—for a time. The 2018 IAPP-EY report notes “that organizations have bulked up their privacy teams, tackled the hard work of implementing GDPR programs [and] spent a lot of money to get there (an average of $1.3 million, with an additional $1.8 million expected).” And compared to 2017, a greater share of privacy spending in 2018 has gone to outside counsel (up 15% from 11%), and technology and tools have increased from 9 to 12%.
However, GDPR did not solve privacy’s budget woes. Sixty-five percent of respondents in the IAPP-EY report feel their privacy budget is not enough. In a recent IAPP webinar, Nikole Davenport, senior manager of cyber risk services at Deloitte & Touche, said, “Absent the GDPR fines and that big push for 5/25, 2019 budgets were lower for a lot of clients across the industry…. They felt like they [had] addressed the privacy part [which is] the ability to look at breaches and notify [of] breaches.”
Ms. Davenport went on to say she tells clients that “Your privacy journey is not one year...we weren’t dieting for the May 25th wedding, but we were changing our diets for a way of life to become healthy. And that starts with privacy. But phase two...is the integration between data protection and privacy…. Sometimes that data protection price is much higher than the individual governance piece.”
Budgets may flux as the buzz about the GDPR waxes and wanes. However, awareness of and concern for privacy remain high. Seventy-eight percent of respondents in the IAPP-EY report say that privacy is a board-level issue, with a focus on long-term privacy compliance. And since GDPR came into effect, data breach complaints to the Information Commissioner’s Office (ICO) skyrocketed 160% between May 25 and July 3, 2018, compared to the same period the previous year.
Bridging the budget gap
Privacy teams can apply strategies to overcome the lack of budget—and even increase that budget. Here are some tips:
- Get other stakeholders involved. Connect with security, so you can leverage their budgetary authority on your behalf. According to the IAPP-TrustArc study, the budget for incident response resides in IT/infosec for 58% of organizations—not in privacy or legal. It’s up to privacy pros to influence purchasing decisions, which 69% of respondents said was the case.
- Demonstrate the importance and value of the privacy program to the board, executives, and the public. Purpose-built software such as RADAR includes dashboard reporting, which helps elevate visibility of the privacy program within the organization. For example, you can begin measuring your incident response program by monitoring key metrics such as the percentage of incidents that were notifiable breaches or the length of time from incident discovery to notification. This will allow you to benchmark to measure how the performance of your privacy program stacks up against your industry peers and determine the risk to your company if you’re lagging.
- Build a business case for leveraging privacy automation to justify cost. Start by identifying the risks to your organization due to inefficient or manual processes and make a list of your business goals. These goals may include:
- Scale to meet growing privacy needs without additional headcount.
- Reduce overall risk by bringing consistency to the breach determination process.
- Ensure breach decisions are based on the most up-to-date breach notification regulations, while reducing time spent researching these ever-changing laws.
- Build more efficient methods for reporting so you can improve your privacy program.
The risks for noncompliance with breach notification laws are greater than ever. Costly fines, intense regulatory scrutiny, and heightened public awareness make the role of privacy essential in today’s threat-filled world. Look for privacy automation that boosts visibility of your program in meaningful ways and that eliminates inefficient processes so you can do more with less.
Stay tuned for the next post in this series, which will cover the fourth and final challenge: the high cost of inefficient processes. You can also learn more by downloading the free whitepaper: The 4 Challenges of Managing Incident Response.