The value of a well-designed, well-managed privacy programme cannot be understated. As privacy emerges as an important business function, privacy teams are faced with the need to justify investment in privacy in strict return on investment terms. This has led to privacy professionals making the case for the positive financial impact of their privacy programmes but thereby ignoring the wider benefits to the organisation. For those seeking an alternative perspective, we approach this from another angle and consider the technical and organisational costs of not running a privacy programme and reflect on the implications that extend far beyond the privacy team.
Organisational Costs
Rather than running a single global privacy programme, there is the “too federated” model of data privacy; by this, I mean the increased cost of running individual compliance programmes across multiple countries, with teams of people in each jurisdiction remediating in siloes to comply country by country.
Then there is also “the programme does not exist,” model of data privacy. If there is no data privacy programme, then usually data privacy becomes the sole domain of Legal, IT or Compliance. In theory this approach may be workable but has shortcomings. Legal or Compliance will (by nature) navigate toward maximum compliance, but they are not risk management professionals. They will miss the individual, risk-based and harm-centric approach intrinsic to a data protection programme. Equally, in an IT driven data privacy programme, key gaps begin to emerge around paper-based records and retention. It is the mix of Legal, Compliance, Risk Management and technological awareness that allows a good privacy programme to focus on personal data risks, while crucially fostering ever greater levels of data protection expertise within a business at the same time.
From a cost perspective, the “programme does not exist” model discounts the fact that more people would be needed in Legal, IT or Compliance for those functions to effectively absorb data privacy into any mid-sized to large organisation. In regulated industries such as financial services, Legal or Compliance professionals with an understanding of privacy can be scarcer and more expensive to hire compared with a privacy professional. The “programme does not exist” model basically spreads data privacy work across more siloed internal functions like Legal, Compliance, and IT. At best this means those functions do less of their day-to-day roles, but at worse it means privacy compliance simply does not receive sufficient focus until an emergency arises, at which point it becomes even more expensive to fix.
Technical Costs
There are also technical costs associated with not running a privacy programme. To use one example, how can an organisation launch Artificial Intelligence (AI) products or services without understanding whose personal data is being fed into the model to train and run it? Was all of the personal data used by the model (and AI requires a lot of personal data) collected legally? Just to give one example of the complexities here, which function - Legal, Compliance, Risk, or IT - would respond to a data subject deletion request for data fed into an AI model? Legal or Compliance would want to act on an AI related data subject request but would lack the technical knowledge to do so. IT would have the technical knowledge, but lack a deep understand of privacy laws. Risk could log this as a high risk and escalate through a Risk Committee but wouldn’t have advised the model programmer as there is no systematic privacy review without a data privacy programme. In short, this one example highlights the question of who would pull all these siloed groups together to create a coherent and effective response on demand, as there would be no privacy programme to build this repeatable capability across the organisation at scale.
The example above also underscores the technical cost of not embedding privacy by design into an organisation. Any effective privacy programme should complement organisational efforts to streamline processes and reduce costs. To give a few examples of the feedback loop of privacy by design, a rationalised use of vendors would lead to fewer international transfers, limiting unnecessary license cost, and savings on manual access control efforts.
Lastly, there are also technical and material impacts to not running a privacy programme. Retention and data storage costs would go up if data is not deleted in line with a retention schedule, which also has ESG rating consequences given a data centre’s energy use. There are IT-related costs around data mapping and the need for data discovery tools (which are expensive) that a Record of Processing Activity created and maintained through a privacy programme would help alleviate.
In short, it behoves any organisation to not just focus on the potential ROI of a privacy programme. There are tangible and significant costs of letting siloed parts of your organisation such as Legal, IT, Compliance or Risk run and manage data privacy in isolation.