Building a Business Case for Privacy Initiatives

Evolving regulatory requirements for data risk at the international, federal, and local level continuously drive compliance needs for organizations of all sizes and industries. Also, the public’s growing understanding of issues related to data privacy has heightened social expectations surrounding consumer choice, transparency, and control. A well-crafted enterprise data privacy program will keep businesses attuned to these maturing regulations. Addressing regulatory requirements and growing consumer demands requires that organizations tackle privacy initiatives that are difficult to quantify and may not have an immediate payoff. As a result, it is crucial to develop a practical business case to illustrate the importance of meeting these requirements and the expected value of taking action and committing resources. A solid business case provides a framework for the strategy, planning, and management of organizational change. In this article, we explore the key inputs needed to frame the business case and how a business case should be presented to the necessary decision-makers. 

Evaluating Your Organization’s Current State

The foundation of a business case is identifying the highest need for your organization by evaluating areas of risks and determining the corresponding priorities. There are several factors that you should consider, which will be unique to your organization.

  1. Regulatory and Jurisdictional Requirements: Consider the geographic locations of customers and employees to define the applicable jurisdictions and corresponding regulatory obligations for the organization; consider international, federal, and state requirements. Assess any current or upcoming changes to the landscape of the industry as well as any widely accepted industry standards. This may also help to assess whether a particular initiative developed in one region can serve as a model or be scaled to incorporate the needs of other geographies. 
  2. Control Environment: Analyze your current environment of technical and operational controls against requirements from the regulations and standards identified to be in-scope. Identify control gaps and prioritize based on the organization’s needs. Enhance the prioritization effort by classifying the identified controls as either “mandated” or “recommended” controls to implement within the organization’s environment, based on key requirements from regulations and existing company policies.
  3. Policies and Procedures: Evaluate the current state of the organization’s documented policies, procedures, and privacy notices and highlight gaps relative to in-scope regulations and standards. The results of audits or assessments can be useful in gathering this information.
  4. Consumer Sentiment:  Regulatory requirements may not be the only thing driving privacy program enhancement. Your organization’s position on data ethics and risk appetite may mean that regulatory requirements are only a baseline. Providing greater consumer trust, transparency, and control could be used as a strategic competitive advantage. For example, extending individual or data subject rights to all US citizens may not be a legal requirement; however, some organizations may extend those rights to a larger set of their consumers if they view it as a good business practice, or wish to simplify their internal processes.  

Performing this type of risk assessment and operational review can identify gaps and uncover the areas of where your current practices do not align with your organization’s risk appetite. These identified gaps factor into the decision about how resources are committed within the business case that you are building. The rationale for prioritization should be documented and maintained to provide a record of the decision-making process. 

Building the Business Case

Business cases may be presented in a number of ways based on how your organization makes funding decisions. When creating the business case, it is important to tailor the presentation and messaging to the intended audience. A discussion of privacy initiatives involves quantitative and qualitative measures, which can create additional challenges when preparing a business justification. There are several aspects of the business case that are particularly effective and should be presented in a transparent manner:

  1. Metrics – Create metrics that quantify the gap between your current state (what is being achieved at current budget and staffing levels) and your optimal state (what can be achieved with different resourcing).
  2. Organizational Impact – Highlight both short and long-term benefits of executing the proposed initiative.
  3. Trust and Compliance Outcomes – Show examples of competitors or other organizations that have been impacted by noncompliance, loss of consumer trust, etc.

Preparing metrics on the current state of the organization’s privacy program helps quantify the needs and requirements to remediate identified gaps. This can also highlight where investment for longer-term initiatives (i.e., technology implementation, process enhancements) may be required and how previous investments have paid off. For example, metrics on the volume of incoming consumer rights requests may make a strong case for further budget and headcount just to meet regulatory requirements. Depending on your audience, metrics should be flexible and capable of providing deeper insights – i.e., where can a modest investment yield the greatest benefit or reduction in risk.

When making a case for new privacy initiatives, differentiate between the short and long-term benefits of executing the initiatives to show impact across the time horizon. Using the metrics that you’ve defined above, is there a reduction in program costs as the time horizon increases? Use this time-bound perspective to show where short-term outlays may yield long-term savings. Present clear, realistic advantages that your program will yield at various points and understand that teams will be held accountable for meeting these results over time. Because the business case will be a record of the decision-making process, it will serve as the tool for understanding whether the expected benefits are received over the life of initiatives.  

An additional strategy that can help to illustrate obscure points is to identify examples of the potential impact of foregoing key initiatives through real-world examples. Using lessons learned from organizations of similar size and industry, you can highlight the cost of nonaction or demonstrate why a particular initiative may be a competitive advantage for your business.  Coupling the potential financial impact on the organization with relevant examples of noncompliance can serve to inform the organization’s risk posture and concretely support the business case for privacy initiatives.

Conclusion

As evolving regulatory requirements and cultural perspectives continue to push organizations to prioritize data privacy and consumer rights, it is crucial to understand how to present the benefits of investing in data privacy initiatives. By creating a clear business case that examines key risk