Setting Privacy Budgets

The IAPP studied privacy professionals’ roles and responsibilities this spring and took a particular look at the control they had over budget spending. Interestingly enough, the results revealed that few privacy professionals had decision making power when it came to purchasing privacy tools, such as software. This article takes a closer look at the IAPP’s Industry of Privacy Project.

Fortune 1000 Survey

The survey asked about 275 privacy professionals at Fortune 1000 companies. There was a 23 percent response rate, providing a sample that was alike in important ways. That is, all of the respondents were privacy leads at private, for-profit firms.

Of course, these are all large, well-established companies, not start-ups of SMEs. The average surveyed Fortune 1000 company’s privacy program has a budget of $2.4 million. The median budget is $1 million. Of course, there was considerable variation from company to company. For instance, the smallest company does about $2.5 billion in revenue, while the largest does almost $500 billion, about 200 times that of the smallest firms.

12 percent of the firms included have privacy budgets of over $5 million annually, while another 14 percent spend less than $500,000 annually. Of that mean $2.4 million amount, about $1.9 million is spent internally, while the other $500,000 is spent externally.

Privacy Program Maturity

Of the internal spending, 50 percent is used for salary and benefits of privacy program employees. The number of employees varies as widely as the budgets, as is to be expected. Participants were asked to characterize their own programs on a spectrum from “pre-stage” to “mature stage.”

Those who deemed themselves pre-, early, or middle-stage reported an average of 3.3 full-time employees, while the 26 percent of firms in the mature stage reported an average of 25 full-time employees.

Furthermore, the average firm in the sample had another 17 employees that contribute to the privacy program in some way, shape or form.

It’s interesting to note that the programs are growing. 33 percent of the companies reported an intention to hire more full- and part-time employees in the upcoming year. Similarly, 38 percent said they will likely increase budget in the next year, and that increase for those who intend to grow is substantial – an average estimate of 34 percent. Only 10 percent of respondents expected budget contraction, though it was a reduction of about 22 percent.


There are some things to mention here. By interviewing privacy leads at firms known to have privacy programs, the data is clearly skewed. It’s impossible to say to 100 percent certainty that Fortune 1000 companies as a whole spend an average of $2.4 million dollars. There may be companies that spend no money at all on “privacy.” Also, IT budgets directed towards breach-prevention software and other data security spends are not included in this study.

Only 35 percent of respondents reported they have budget authority for privacy-related software, though this remains the largest category for spending, after salary and benefits, of course. Everything else is mostly legal services, audit services, training for the organization and for privacy professionals, data mapping and monitoring and a variety of other small expenditures (e.g. travel and privacy seals).

This study will be released by the IAPP to all members within the next month or so.


During spring 2014, the IAPP studied the roles of privacy professionals worldwide, with a particular interest in the influence they had on budget spending and the areas over which they had primary control. This article focuses on the decision-making authorities professionals have, particularly in terms of budget formation and spending.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Privacy responsibility framework (II.B.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>