Published: November 2014
Over the summer of 2014, the IAPP embarked on the first of what will be an annual effort to research and benchmark the privacy programs of the Fortune 1000. In partnership with third-party research firm Fondulas Strategic Research, we queried roughly 275 privacy leads at Fortune 1000 companies, all of them large, private, for-profit firms operating from a base in the United States, and got a 23-percent response rate, providing us with one of the most comprehensive samples of corporate privacy leaders ever assembled.
Expert perspectives on the report can be found below:
- How Far We’ve Come … And We’re Only Getting Started
Author: Trevor Hughes, IAPP President & CEO
- Sales and Profits Are Everyone’s Responsibility—Shouldn’t Privacy Be Too?
Author: Hilary Wandall, CPO at Merck
- Every Company Is Now a Tech Company
Author: Nuala O'Connor, head of the Center for Technology and Democracy
The big-picture findings: Based on our analysis, we estimate that in total the Fortune 1000 spends roughly $2.4 billion on managing privacy (taking our average budget number and expanding to the full sample size), a number we’re referring to as the Privacy Industry Index. Fortune 1000 companies sampled spend an approximate average of $76 per employee on privacy, or $204 per $1 million in revenue.
While there’s considerable variation in the Fortune 1000, understanding how these top companies manage privacy provides important insight into the current state of corporate privacy in the United States. The smallest company does about $2.5 billion in revenue. The largest, Wal-Mart, does almost $500 billion, about 200 times those smallest firms. At the same time, these are all large companies. No start-ups or SMEs here.
In the report that follows this executive summary you will find benchmarking information grouped in four major categories:
People and staffing: We document the demographics of the privacy lead and his or her staff, including both full-time privacy staff and those employees who lend only part of their time to the privacy team.
Organization structure: How is the privacy team situated within the organization, over what do privacy staff have oversight and with whom are they working on a daily basis?
Budget: We discover the average privacy budget per company ($2.4 million), and then break down that number by maturity of the program, vertical market, number of employees and annual revenue. Further, we break out the pieces of the budget to establish what these organizations are spending their money on.
Priorities: Which areas of responsibility are seen as most important? Which areas of the organization would privacy professionals like more insight into and influence over?
With this, we hope to offer privacy professionals throughout both the Fortune 1000 and the world at large a way to evaluate their own programs and to advocate for the budget, tools and relationships they need to accomplish the daunting task of overseeing privacy in an ever-changing technological landscape with seemingly endless layers of regulations to comply with, cultural sentiments to accommodate and consumer expectations to satisfy.
Surely, every reader will find different aspects of the findings interesting, but we offer three major takeaways:
A clear maturity curve is forming.
We asked the respondents to characterize their own programs on a spectrum from “pre-stage” all the way to “mature stage.” Perhaps it’s not surprising that there are stark differences between early- and mature-stage programs. Those who called themselves pre, early, or middle stage reported an average of 3.3 full-time employees, while the 26 percent of firms in the mature stage reported an average of 25 full-time employees. Further, those who reported themselves “mature” have an average budget of $4 million annually, a full 67 percent higher than the average spend.
Mature programs differ greatly from their counterparts in early stage. They report different responsibilities, different priorities and different resources. For example, all mature-stage programs are tasked with training staff and creating privacy policies, along with the procedures and governance necessary to implement them. They are also much more likely to monitor their programs themselves. More than half of the mature-program respondents go so far as to purchase privacy-enhancing technology and tools. They engage with outside consultants for privacy assessments and manage government affairs matters in a way that other firms do not.
It is also interesting to note the priorities of early-stage programs. Firms that are just standing up their privacy programs are initially much more focused on protecting their brand and reputation in the marketplace (29 percent vs. 14 percent of mature programs). They aren’t as worried about compliance with the law as with meeting the will of their customers.
Privacy is becoming a core market differentiator (just note Apple’s new privacy features or Facebook’s redoubled privacy efforts), both a way to distinguish oneself and a way to run afoul of consumer sentiment if not handled correctly. Mature programs have a clear edge in staffing and program sophistication and have realigned priorities to take advantage of the privacy sophistication that’s been instilled in the organization.
Privacy is hiring. A lot.
Many of the programs headed up by respondents are already moving up the curve.
Thirty-three percent of the companies reported an intention to hire more full- and part-time employees in the coming year. The increase in full-time (29 percent) employees is less than the stated intended increase for part-time employees (40 percent), implying that, as privacy programs mature, more of the work is done outside of the core privacy team and inside other organizational departments.
Extrapolating the average headcounts out to the full Fortune 1000, then multiplying by the expected average increases, this translates to a projected increase of 950 full-time privacy professionals over the next year, with another 2,200 professionals with privacy as a part of their responsibilities.
Similarly, 38 percent of respondents said they would likely increase their privacy budget in the next year. Moreover, the expected budget increase for those who intend to grow is substantial: an average estimate of 34 percent. Only 10 percent of respondents expected budget contraction.
Based on current spending levels and project spending from respondents, we therefore predict privacy spending to approach $3 billion in 2015.
Privacy Leaders are working tightly with IT and infosecurity professionals. Ethics is next.
Privacy leaders expressed comfort with their influence over regulatory compliance in their organizations. These results are similar to those in previous surveys. It may be surprising, however, that a solid majority of respondents report satisfaction with the influence they have over IT (64 percent) and infosecurity (61 percent) operations. Just a small portion of respondents stated that they would like either a great deal or some more influence over those areas.
Further, infosecurity colleagues are the peers with which privacy leads work most closely (93 percent), followed by the legal team (89 percent) and the information technology team (79 percent).
With data ethics and research protocols becoming a hot topic in the press and at conferences around the world, it’s not surprising to see ethics begin to creep up the priority list. Thirty-two percent of privacy leads are satisfied with their influence over corporate ethics, with 14 percent identifying that as an area in which they’d like more influence, eclipsed only by the marketing arena and equaled by sales. And 39 percent of privacy leads said it’s “very important” to work closely with the corporate ethics team, just a tick below the 43 percent who feel it’s very important to work with the marketing team.
Clearly, privacy is still a nascent profession.
The steep growth in the IAPP’s membership numbers – from 10,000 members in 2012 to a projected 20,000 at the end of 2014 – demonstrates the growing recognition in the marketplace for the importance of sound data governance practices. Yet, a majority of respondents, 59 percent, reported having established their company’s privacy program themselves. This implies that the privacy industry can expect to experience dramatic growth.
As more companies move up the clearly solidifying privacy maturity curve in the near future, we expect to see a rapid expansion in investment and attention to privacy among the Fortune 1000.