As data protection laws popped up around the world, many armed with strict penalties for noncompliance, organizations quickly realized they had to be proactive to meet those regulatory requirements.

Staying on top of those compliance requirements meant pouring significant financial resources into comprehensive privacy programs. But as the EU General Data Protection Regulation closes in on its two-year implementation anniversary and the California Consumer Privacy Act enjoys its infancy, have those privacy investments yielded positive returns on investment?

According to Cisco's 2020 data privacy benchmark study, the answer is yes.

The company fielded responses from 2,500 professionals across 13 countries for its study, "From Privacy to Profit: Achieving Positive Returns on Privacy Investments." Respondents were asked to provide the size of their total annual privacy spend and estimate the financial benefits their investments have had on six categories: reducing sales delays, mitigating losses from data breaches, enabling agility and innovation, making the company attractive to investors, building loyalty and trust with customers, and achieving operational efficiency from data controls.

Based on the responses it received, Cisco found for every $1 an organization spends, they receive a $2.70 return on investment.

Robert Waitman, CIPP/US, a director in Cisco's privacy office, said the biggest ROI discrepancies were not based on company size but rather the maturity of an organization's privacy program.

As part of the study, participants were asked to rate their progress on the seven elements found on the Centre for Information Policy Leadership's Accountability Wheel, which include, for example, leadership and oversight, response and enforcement, and risk assessment.

Respondents were asked to evaluate their progress on each of the elements on a scale from one to five. Should an organization give itself a score of one in any category, it means it has made very little progress in that area of the privacy program. On the other hand, a score of a five signifies the company has either done most or all the work needed to ensure the element in question is fully operational.

Waitman said Cisco has worked with CIPL in the past and that his company found the Accountability Wheel to be the best way to measure the maturity of respondents' privacy programs for this study. He notes the Accountability Wheel is not an overly precise scale, but the responses backed up what Waitman ultimately expected: The more mature privacy programs were seeing much better ROI.

Companies that had scores above four saw a $3.10 return on investment compared to $2.30 estimated by organizations that scored between one and three.

Cisco also broke down the ROI results based on a geographic level. The U.K. reported the highest return on investment at $3.50, with Mexico, Spain, Brazil and China all receiving three times their investments. The U.S. was slightly below average at $2.60, while India was at the bottom of the list at $1.90.

"Even the lowest number at 1.9 is getting basically twice their investment, so all of these are good from the perspective of whether these investments are worthwhile," Waitman said. "We wondered whether there was a ... privacy framework so onerous and difficult from a regulatory standpoint that people aren’t getting returns. The answer to that is no."  

Waitman said while there have been some GDPR growing pains, the legislative landscape has allowed for positive ROI overall.

However, there is always a possibility that could change. He said organizations could see their ROI plummet should they have to comply with a patchwork of 50 U.S. state laws, as it will become overly complicated and expensive for privacy programs to adhere to laws with many different, contradicting requirements. On the other hand, ROI numbers could go up in the event a U.S. privacy law is passed.

Though Cisco's report may shed a light on the health of current investments, Waitman believes it can also be used by privacy professionals as a tool to catch the attention of the C-suite.

"If $100 gets you $270 on average, it’s probably one of the better investments you can make. We shouldn’t do the minimum necessary under the GDPR or whatever other regulation we are dealing with. There are all these other business benefits that are coming along that we should be conscious of, thinking about and building into our decision making when we decide what we are going to invest in. I think that is a strong message for everybody who works in the privacy community to be able to share," Waitman said.

The ROI arrow is trending upward, and it seems only seismic legislative changes would hinder momentum. Waitman has seen it head this way on a yearly basis. He pointed to the six categories Cisco developed for respondents to consider as they formulated their ROI estimates. For each category, between 67% and 74% of respondents said they have seen "significant" or "very significant" benefits in that area. Waitman said those percentages were all in the 30s and 40s in Cisco's 2019 study.

The category that received the 74% was building loyalty and trust with consumers, and it might be the other signal besides privacy legislation that suggests organizations will continue to get good returns on their financial investments going forward.

"I think that the value is going to go up overall, and I think it's largely because of the shift of the rights to the individual," Waitman said. "The idea is that consumers will have a larger say in whom they work with. Customers will want to have the right answers for these kinds of questions or else they are not going to do business. Therefore, it’s going to be even more valuable for companies to get this right. It will be increasingly seen as part of the brand, as part of the value the company provides." 

Photo by Christine Roy on Unsplash