The Business Case for Privacy
A colleague asked me recently, “How do we convince CEOs to pay for privacy?” It’s a common question we
get in the consulting space. The short answer is, there is no singular business case for privacy. Being
a nuanced, contextual subject matter and one that leaders across sectors struggle to address
consistently, the act of “selling” privacy is as audience-specific as many other compliance-related or
As a privacy person who has worked with a wide variety of organizations, each new privacy challenge
reminds me of how much we can and should learn from security. Like an older sibling, security has its
own tendencies, motivations, and mannerisms, and there is a critical opportunity for privacy, as the
younger, to learn from our older, more experienced sibling. I say this as a little brother who should
have learned more from his older siblings. In the spirit of continual improvement, let’s take that
lesson and apply it to some of the many privacy challenges facing us today.
If there’s no universal business case for privacy, then how does privacy get funded? Successfully
selling privacy work involves connecting privacy initiatives to core business objectives and
organizational performance. While some businesses see privacy as a potential differentiator, or even a
catalyst for diversified revenue generation, many still see privacy as a cost avoidance,
compliance-related topic that garners only as much focus as is necessary to manage enterprise risk and
keep regulators at bay.
Furthermore, different functional areas within enterprises have very different views of the relative
importance, urgency, and potential impact of focusing on privacy best practices. For example, user
experience leaders assess privacy regulatory obligations and risk differently than sales and marketing
leaders, data infrastructure stewards, engineering heads, analytics managers, and even core risk and
compliance professionals. So, if everyone has a different approach, and the only constant in privacy
demand seems to be a lack of consistency, how can you positively develop and champion privacy
engagements (either as an internal resource or an external supporter)? Here are some core areas to help
you successfully pursue a successful privacy initiative:
- Study the culture of the organization and develop an understanding of their overall risk
Identify key operating initiatives, leadership objectives, and organizational messaging trends
(including public facing materials and financial reporting, where applicable).
Every organization, no matter how similar on the surface, holds a unique risk appetite –
degrees of risk that they find palatable as an organization and a leadership team. Even
businesses seen as peers or competitors can vary greatly under the surface in terms of the
risk they are willing to accept. Privacy is an area where this becomes clear very quickly.
Privacy policies are written differently, messaging of best practices vary, and the
standards driven in normal operations of the businesses vary based on what is required and
what may just be nice to have. Task number one is to determine how an organization views
risk mitigation and how much risk they may be willing to swallow overall. With this, you can
place yourself in the shoes of the leadership team and apply risk-based strategy and
decision making at a material, fit-for-purpose level.
Make direct, actionable connections between business objectives and privacy regulations and
related market influences that can support those objectives.
Anyone who’s ever spent time in forecasting and budgeting periods is likely to see a trend
in what gets approved and what gets placed on the backburner. Approved projects normally key
in on specific objectives and performance measures impacting members of the leadership team,
where deprioritized projects (whose merit may very well be as much, if not greater than
other approved projects) often lack a strong connection to leadership goals, objectives, and
cultural initiatives. In this way, privacy projects are very much like any other kind of
corporate project – the likelihood of success in a proposal has a strong correlation to
one’s ability to connect that project with the core needs and passions of leadership team
members. As such, develop clear, succinct messaging that aligns the details of your privacy
project with the needs and motivations of the leadership team you’re seeking to support.
Integrate messaging from legal and compliance professionals with functional leadership in your
organization for a cohesive value proposition.
Most messaging in the privacy space is tied to regulatory changes and new/evolving
requirements in preserving privacy compliance. That said, not every leader reacts positively
to the idea of expense for compliance-sake alone. Instead, it’s critical to tie the short
and long-term impacts of your proposal to both the risk mitigation and revenue generation
aspects of privacy investment. These benefits, when aligned directly with the goals of the
business and the public persona seen by customers, can make the difference between a
green-lit project and a “maybe later” idea.
Design your approach and solution to match the distinct needs, expectations, and goals of your
organization – not to a checklist of compliance or a template from other organizations.
Poorly crafted or non-extensible messaging can kill even the best, most effectively designed
privacy projects, but this isn’t unique to privacy, at all. So, refer back to the tried and
true “know your audience”, and craft communications accordingly. A single pitch for all
audiences is likely threading the world’s smallest needle with its biggest thread – it’s
awkward, difficult, and not an intuitive or effective approach to influencing decision
makers. Instead, invest time in understanding how your project may impact (and as
importantly, could benefit) each distinct audience to ensure that you put the most succinct
and well-oriented narrative forward to those with influence in giving either a green or red
light on your initiative.
After years in this space, I’m often asked, “Do checklists sell”? I must begrudgingly admit
that yes, they sometimes do. However, they do most organizations a disservice, serving as
faux panaceas in a world where none yet exist. Checklist-based solutions are often presented
as “easy buttons” for compliance – do these 15 things and thou shalt be compliant! However,
we see time and time again that these solutions are short-term engagements with an
unavoidable long-term expense. That is, they create privacy programs without longevity or
sustainability. They may be cheaper than more in-depth solutions, but the technical and
procedural debt built from expecting an easy path to a complex and fast-evolving space like
privacy make checklists obscenely harmful and often far more expensive in the long run than
more customized, thoughtful privacy endeavors. Fit-for-purpose solutions are far more likely
to serve as a stable foundation for continued privacy compliance in a manner that won’t
break the bank long term and actually has a hope of sustained success.
So, how do we get CEO’s to pay for privacy? Well, CEO’s aren’t the only (or even primary) buyers of
privacy support services. Making that assumption can severely lessen one’s ability to get a meaningful
privacy initiative off the ground. Instead, you have to assess the organization, its risk posture, and
the needs and demands of its leadership and customer bases. With this more complete view of the
operating environment, you unlock a myriad of potential solutions that can be positioned in a manner
more receptive to your audience and that actually possess the potential for long-term success and
sustainability of your solution.
Many security teams started largely as standalone functions, tasked with magically achieving security
for an entire organization. It’s a simple idea, really: Hire security professionals and they will take
care of the problem. However, organizations have developed intriguing roadmaps for security, but failed
to socialize those plans due to a lack of partnership and buy-in from functions across the business
- Leaders get an initiative that prioritizes their needs and incorporates the objectives that
motivate their own (and their partners’) actions.
- You get an opportunity to drive meaningful change in a space that is critical to long-term risk
mitigation and revenue preservation.
- And lastly, customers get a business with an intentional, clearer approach to privacy compliance
that they can rely on as users of a given product or service.
Put another way, when you use this approach, everyone wins.
Thanks to Jennifer Chen and Jessica Traynor.