In previous articles, we discussed how privacy spending has been steadily increasing, good news for privacy professionals who require new tools and techniques for dealing with the growing privacy responsibilities they are being tasked with.
Privacy Budget Breakdown
According to the IAPP’s Industry of Privacy survey, which took a look at data from 413 privacy professionals worldwide, spending on privacy fell into three major categories: Consulting, Technology and Legal. The majority of respondents (i.e. 51.3 percent) did not rely on consultants to aid with privacy-related matters. However, a substantial number of respondents continue to contract for consultation on privacy matters.
Consultation spending fell under the following categories:
- Assessments and audits
- Staff augmentation (experts on demand)
- Process integration (getting people to work together)
- System integration (getting technology to work well together)
- Miscellaneous consultation services
While the majority of privacy professionals had some influence over the hiring of consultants for all the above tasks, privacy professionals held the most sway over assessments and audits.
The IAPP survey took a look at the following types of technology/service provider expenditures:
- Backup and recovery software
- Data loss prevention
- eDiscovery software
- Governance and compliance solutions
- Identity and access management
- Mobile device management
Privacy professionals reported the most influence over governance and compliance solutions, with data loss prevention and identity and access management reported as the area where they had the second-most influence. Despite the ability to assert some influence over these spending decisions, privacy professionals are very rarely the decision-maker in this area. Governance and compliance solutions represented the area where privacy professionals held the most influence. But only 17 percent of respondents were decision-makers here.
The level of influence over legal spending varied and was mainly dependent upon position. Two positions that stood out were private-sector in-house, compared to in-house information technology. Regarding general legal spending, private-sector in-house positions showed clear dominance in control over spending, but when legal spending targeted incident response, the positions were relatively the same.
The findings of the IAPP survey have shed light on some common myths regarding spending on privacy-related products and services.
Myth #1: Small Companies Don’t Spend on Privacy Products or Services
It’s commonly thought that small companies are unwilling to spend capital on privacy compliance. However, the survey results show that company size may have little to do with spending on privacy. Based on the number of companies that reported spending on privacy-related products and services for each of six size ranges, on average, there was on 8 percent increase in the number of companies that reported spending on privacy-related products and services, until the company size reaches 5,000 employees.
This means for organizations with 5,000 or fewer total employees, there is a slight inverse correlation between size and privacy spending. For companies with more than 5,000 employees, there was, on average, only a 1 percent difference in the number of companies reporting spending on privacy-related products. This is not unusual, as growing from 100 to 1,000 employees is much more dramatic than a growth from 10,000 to 20,000 employees.
Myth #2: IT Departments Control Privacy-Technology Spending
Here it’s important to note that the organizational structure varies widely from one company to another. However, privacy departments generally fit into this structure in one of two ways. Either the IT department will handle the privacy issues, or there will be a separate team (typically within the legal or compliance departments). In the second approach, it is a common belief that members of the privacy team are excluded from the decisions regarding purchasing privacy-related technology products or services. Survey findings suggest that there are actually privacy professionals outside of IT that are involved in purchasing privacy-enhancing technologies.
27 percent of the IT professionals surveyed reported they had influence or decision-making power over spending on privacy enhancing technologies, compared to 19 percent of private-sector in-house privacy professionals.
The percentage of IT and private-sector in-house professionals who reported having influence over spending on privacy technologies shifted based on the type of technology product being purchased. With mobile device management technology, IT professionals reported having 60 percent influence and 20 percent decision-making power. A full 80 percent reported having some say.
While 43 percent of private-sector in-house professionals reported having influence, 3 percent reported they had decision-making power. The situation is slightly different for data loss prevention products. While the same 3 percent of private-sector in-house professionals reported having decision-making power and 47 percent reported having influence, only 60 percent of IT professionals reported having input in that area. This suggests that spending on privacy-related technology products depends greatly on the technology product itself.
However, even without a budget or final decision-making power, privacy professionals outside of the IT department still wield a substantial amount of influence on spending with regard to privacy technologies. The survey findings also suggest that organizational privacy leaders don’t work in a vacuum, rather they collaborate with other internal leaders in order to meet their privacy objectives.
Based on the findings from the IAPP Industry of Privacy survey, this article looks at the breakdown of privacy budgets in various-sized organizations worldwide. It also debunks two common myths of privacy spending.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
- Privacy responsibility framework (II.B.)