It is evident that a company must invest in its privacy practices to meet legal requirements if it wants to avoid investigation costs and potential civil penalties. But can investment in privacy, data security, and data management bring benefits to the organization beyond those of bare legal compliance? A recent Data Privacy Benchmark Study by Cisco suggests that it can. According to the study, the organizations surveyed realized healthy returns on their privacy spend. And interestingly, organizations with more robust privacy programs generally got a better return on further investment. The survey is admittedly subjective and imprecise. For example, it simply asked survey participants to estimate the value of the return they received on their investment in privacy. Nevertheless, at the very least the survey gives some valuable insight into some areas that organizations believe investing in privacy and data management has broader benefits.
Investments in privacy and data management can bring operational efficiencies to an organization. As a company grows, its data management practices must grow with it. For example, a small organization may be able to get along just fine with an ad hoc approach to data management that is not formalized, documented, or systematic. As the business and its data inventory grow, however, such informal systems can become unwieldy and wildly inefficient. Yet inertia or a failure to prioritize can lead to neglecting investment in privacy and data management. Therefore, renewed focus and investment in a company’s data management practices can lead to less duplication, improved workflows, and cost reductions. A well-planned approach is also more scalable, so that the organization can continue to reap the benefits of increased efficiency even as it continues to grow.
Preventing & Mitigating Data Security Incidents
Investments in privacy and data management can also help companies avoid the costs associated with data breaches and other data security incidents. Of course, investments in new technologies can help an organization keep its data secure. But investment costs should go beyond technology as well. Investments in training programs can ensure that all employees know the content and importance of the company’s privacy practices. Training can also help employees avoid becoming victims of social engineering attacks that may compromise company data systems. By investing in training and technologies that will help to prevent data security incidents, companies can save the costs of breach notification, customer ill will, litigation, investigations, and fines.
Additionally, companies with robust privacy and data security practices can more quickly and efficiently respond to and recover from data security incidents should they occur. An updated, comprehensive, and rehearsed incident recovery plan can help a company avoid extensive revenue loss by quickly getting critical systems back online after a data security incident. This is truly a case where an ounce of prevention is worth a pound of cure and continuing investment now can save a company countless dollars later.
Privacy is becoming a key touchpoint with consumers. This is evident in Apple’s recent push to tout the privacy features of its latest iPhone. This benefit, however, is not limited to companies that look to market privacy overtly. Both consumers and the law increasingly demand that companies are transparent about their privacy practices. No company wants to disclose privacy practices that show it is woefully behind its competitors or standard practices. A commitment to privacy, on the other hand, is likely to result in better sales, brand recognition, and customer loyalty.
Companies that act as vendors or service providers can also benefit substantially from investments in privacy. Clients of these companies do not want to risk their own reputations by engaging vendors or service providers with questionable privacy practices. Due diligence with respect to privacy and data security is increasingly becoming a key part of vendor management. These companies, therefore, must ensure that their privacy practices meet or exceed industry standards, or else they risk losing key contracts and relationships with their clients.
Here, investment in privacy certifications can play a key role. Certifications such as EU-US and Swiss-US Privacy Shield, APEC Cross-Border Privacy Rules (CBPR), and ISO/IEC 27001 or ISO/IEC 27701 can serve as important proxies for signaling an organization’s commitment to privacy. Investment in gaining and maintaining such certifications can reduce transaction costs by giving potential customers an easily and quickly recognizable sign that a company’s privacy and data management practices are in line with industry standards and best practices.
Investing in privacy and data management can make an organization more attractive for investment. Well informed investors may scrutinize a public company’s privacy practices when deciding whether to invest. The Securities and Exchange Commission has issued interpretive guidance on disclosure of cybersecurity risks and incidents, recognizing that these subjects can materially affect investment decisions. Senators have introduced a bill that would require publicly traded companies to disclose cybersecurity expertise at the board level. In such an environment, a public company that lags behind on its investments in privacy and data security risks leaving investor money on the table.
Similarly, companies in the mergers and acquisitions market should view investment in privacy and data security as essential to maximizing the company’s value. Acquiring companies are putting increased emphasis on the privacy practices of target companies in due diligence. After all, no one wants to purchase a company that is at risk of becoming a financial burden due to costs associated with prior data breaches or sloppy data management practices. In addition, the more developed a company’s data management practices are, the more cleanly the acquiring company can integrate them into its own systems and operations. Simply put, organizations that have invested the time and money to ensure their privacy practices are solid and up to date make more enticing targets than those that have not.
Successful businesses are those that properly determine where they should deploy their limited funds to get the best return on investment. Recent trends show that investment in privacy and data security are an important part of that conversation.