Articles

Securing Buy-in For Your Privacy Program: 5 Essential Tips

Written by Matt Davis, CIPM (IAPP) | July 8, 2024

Here are two numbers that might make a privacy professional’s heart rate spike: 63 and 51.

These numbers come from a recent report by the Information Systems Audit and Control Association (ISACA), which focused on trends in privacy staffing and resourcing. Specifically, they refer to the percentage of surveyed privacy professionals who believe their program budget was underfunded (63%) and the percentage of respondents who believe their budget will further decrease over the next 12 months (51%).

Privacy professionals are already making do with what they have—and they believe they’ll have to make do with even less in the future.

But you don’t have to sit by and watch the resources you need to stay compliant and protect consumer rights slip away! By being proactive, you can increase the odds that your privacy program secures the buy-in it needs to be effective. These five tactics can help you tip the scales in your favor when it comes to securing buy-in for your privacy program.

1. Articulate the Business Value of Data Privacy

Privacy is not just a compliance necessity; it's a business imperative. To secure buy-in, clearly articulate how data privacy aligns with your organization's broader goals and values. Emphasize that a robust data privacy program goes beyond regulation compliance—it builds trust, enhances operational efficiency, and ultimately protects the company from significant financial and reputational risks.

You can discuss how investing in privacy measures can enhance customer trust and satisfaction, leading to higher retention rates and loyalty. Moreover, research shows that businesses with poor data privacy practices can increase the odds of a data breach by as much as 80%—and when those breaches happen, poor data minimization and retention practices make them all the more severe.

 

Osano Head of Privacy Rachael Ormiston discusses how consumers factor data privacy into their buying decisions.

Avoiding negative outcomes is a form of business value, but data privacy can also be a positive contributor. One has only to look to organizations like Mozilla and Apple that have made data privacy a significant component of their brand; privacy-conscious consumers prefer these business’s products and services. More and more consumers are becoming aware of privacy issues every day. In fact, roughly half of all surveyed consumers have stopped buying from a company or using a service because of data privacy concerns.

2. Leverage Cross-Functional Allies

Data privacy doesn’t exist in a vacuum. Any department that handles consumer personal data or any system that handles consumer data has some stake in data privacy. Rather than go directly to the CEO or CFO to make your case for a larger budget and more staff, cultivate champions across the business.

By working closely with security teams, marketing, sales, product development, and IT, you can build a robust support network that sees the value in data privacy. For instance:

  • Collaborate with your Chief Information Security Officer (CISO) to highlight overlapping interests in data protection.
  • Engage the Chief Marketing Officer (CMO) to illustrate how privacy can actually improve customer experiences and lead generation.
  • Partner with sales to show how effective data privacy can shorten sales cycles by removing legal and data compliance roadblocks.

Not only will this tactic help you gain allies when arguing for more resources, it’ll also make your privacy program more effective now. You’ll need privacy champions willing to implement privacy-by-design principles, fulfill privacy impact assessments, and call your attention to potential privacy issues if you want to achieve compliance.

3. Make a Data-Driven Case

CFOs and other decision-makers often rely on hard data when approving budget requests. Prepare a compelling, data-driven case that emphasizes the financial and operational impacts of investing (or failing to invest) in data privacy. We’ve already provided a few statistics that may be compelling­­—such as how poor data privacy practices increase the odds of a breach by as much as 80% or that half of all consumers have chosen to take their business elsewhere over privacy concerns.

However, the most compelling metrics will be specific to your own organization. Find out how often data privacy factors into potential deals, how high of a fine your organization could incur if found to be noncompliant with this law or that one, how many vendors manage personal information, and so on. If you track down data that helps quantify exactly how much more work needs to be done on the data privacy front, you’ll go far in making your case. (If you’ve gotten experts from other departments on your side in Step 2, it’ll be easier to source this data!)

Osano CFO Ryan Macia explains how to align data privacy and business goals.

4. Present Clear, Strategic Recommendations

When approaching stakeholders, particularly the CFO, come prepared with a well-thought-out recommendation. Show that you've done your homework by thoroughly understanding the financial implications, exploring various alternatives, and presenting a strategic, clear-cut plan.

It’s a cliche, but it’s true: Don’t bring problems, bring solutions. Detail how the proposed investment will specifically address current issues and support the long-term health of the business. For instance, if you’re recommending privacy tech tools, explain how these will replace or supplement manual processes and what initiatives you’ll be free to pursue as a result.

5. Focus on Preventive Measures

Prevention is better than cure—the adage is especially true for data privacy. Highlight the significant costs of potential data breaches or compliance failures and frame the investment in privacy as a preventive measure. Point out that while it may be tempting to cut corners now, the financial, legal, and reputational repercussions of data incidents make a compelling case for proactive investment.

If your organization is subject to the CCPA, for instance, diving into the enforcement actions against Sephora, DoorDash, and Tilting Point Media could be persuasive. Depending on which laws you’re subject to, you may benefit from describing how cure periods (i.e., opportunities to fix violations before being penalized) are expiring. These talking points can help convey that waiting to receive a notice of noncompliance before getting your house in order is a dangerous game.

Osano CFO Ryan Macia explains how many companies invest in data privacy and security after disaster strikes.

Most Important of All:

Stay informed!

Data privacy is constantly evolving—that means the pressures and risks your organization will face from a privacy perspective are constantly evolving too. A new law, a new enforcement action, or a new business initiative could make all the difference when it comes to securing buy-in for your data privacy program.

For more insights on data privacy and securing stakeholder support, consider subscribing to our newsletter. Or watch our recent webinar on Securing Buy-In: Making the Business Case for Data Privacy!