In their Stanford Law Review article "Privacy on the Books and on the Ground," Kenneth Bamberger and Deirdre Mulligan recognized “the importance of the professionalization of privacy officers as a force for transmission of consumer expectation notions of privacy from diverse external stakeholders, and related ‘best practices,’ between firms.” The IAPP's new Benchmarking Privacy Management and Investments of the Fortune 1000 study demonstrates that the authors’ vision of professionalization has materialized as a reality on the ground.
As the hub of activities for an emerging profession, the IAPP has grown in lockstep with the privacy industry. In less than a decade, it has gone from being an organization with a single employee and a few hundred members to one employing 80 people and providing training, certification, conferences, publications, professional resources and industry research to more than 19,000 members in 83 countries around the world. Privacy management has become a profession; it’s growing, and it is developing inroads into various parts of every organization, including research and development, product design, public policy, marketing, compliance, HR and IT.
A maturity curve is emerging; get on the curve. One important lesson from the study is the emergence of a privacy program maturity curve. The report indicates dramatic differences in privacy budget and responsibilities between programs in early and mature stage. Early- to middle-stage programs report an average of one to three full-time employees, whereas mature stage programs average 25. Privacy programs start up small and focused on brand reputation and rapidly expand in resources and scope to address regulatory compliance and government affairs. Based on the many diverse voices we’ve heard, our advice for companies is to get on the curve. It’s much better if the fact that a company is not investing as much as its competitors in data governance reaches the ear of the C-suite or board before it reaches the press. Companies that are already on the curve should ride it, as privacy programs have a clear growth trajectory both in terms of budgets and personnel. Being portrayed as a privacy leader as opposed to a laggard is good for brand reputation and good for consumer trust.
Privacy spend is growing; privacy spend is small. The benchmarking report shows Fortune 1000 companies spending an average of $2.4 million per year on privacy. To be sure, a $2.4 billion industry is nothing to scoff at. Just a few years ago—before Snowden, data breach notification laws, FTC enforcement actions and stories about privacy blunders on the front page of The Wall Street Journal—few commentators would have predicted this surge. Yet the privacy spend is still a fraction of the resources that businesses expend on data security. And as more and more cases demonstrate, even strong security measures cannot make up for failing to meet consumer expectations or using information in “creepy” ways. Accordingly, the report anticipates that investment in responsible data uses will grow.
Privacy is hiring. Privacy remains a nascent profession. Fifty-nine percent of respondents reported that they established their company’s privacy program themselves. This implies that the industry can still expect dramatic growth. Not surprisingly, the benchmarking report demonstrates that privacy budgets are set to grow. Nearly 40 percent of privacy professionals predict an increase in their budget in the coming year—by an average of 34 percent—and 33 percent intend to hire new privacy staff. Any industry with such demand for new blood will draw an increasing supply of qualified candidates. The IAPP helps channel young professionals into this funnel, for example, through its Privacy Pathways program. Under this program, graduate students in selected schools enroll in a grouping of privacy courses, undergo CIPP certification and are placed in a company for an internship or externship, thereby enhancing their privacy credentials and improving their potential as candidates in a competitive job market.
It’s not just about compliance: Introducing data ethics. Over the past few years, it has become clear that with privacy, even legal compliance and sound security practices are not sufficient to meet consumer expectations. With companies becoming laboratories for big data research, data ethics have become a critical component of a privacy framework. Some companies have reacted to the need for instituting internal processes by establishing standing review boards to help guide their data policies. The benchmarking report reflects these understandings with 14 percent of privacy leads identifying corporate ethics as an area in which they’d like more influence, eclipsed only by the marketing arena and equaled by sales. Thirty-nine percent of privacy leads said it’s “very important” to work closely with the corporate ethics team, just a tick below the 43 percent who feel it’s very important to work with the marketing team.
Privacy is spilling over from the privacy office. The study anticipates a large increase in hiring of part-time employees. This implies that as privacy programs mature, more of the work is done outside of the core privacy team and inside other organizational departments. This includes individuals who handle personal information as part of their day-to-day jobs but are not part of the privacy or data security teams in their organizations. For example, IT, HR, sales and marketing staff, as well as certain customer service representatives, require privacy know-how in order to spot issues and escalate problems to line managers or chief privacy officers. Basic privacy training will thus become part of the knowledge base for every corporate employee. In some instances, personnel will require more advanced and specific training sessions, such as HIPAA for healthcare staff or FERPA and COPPA for education.
To summarize, the privacy profession has come a long way but still has a long way to go. The IAPP is committed to continuing to track the development of the industry and update the members annually on current and emerging trends.
The IAPP has just released its first benchmarking report, detailing the privacy budgets and priorities of the Fortune 1000. Find it here.
If you want to comment on this post, you need to login.