Privacy & Information Security Law Blog

On January 27, 2020, CISCO released its 2020 Data Privacy Benchmark Study entitled “From Privacy to Profit: Achieving Positive Returns on Privacy Investments” (the “Study”). The Study explores the return on investing in privacy compliance for organizations, examines how such return correlates with an organization’s accountability level and details the value of privacy certifications in the buying process. To measure organizations’ accountability level, CISCO used the CIPL Accountability Wheel, a privacy accountability framework developed by the Centre for Information Policy Leadership. More than 2,500 respondents took part in the Study from across 13 countries.

Privacy Spending, Benefits and Returns: The first section of the Study sought to analyze company investments in privacy across different sizes of organizations, the benefits organizations are seeing from these investments and the financial return on investment. This section of the Study concluded that:

• Average annual spending on privacy amounted to $1.2 million;
• Companies are enjoying many benefits beyond mere compliance through investing in privacy, including reducing sales delays, mitigating losses from breaches, enabling agility and innovation, achieving operational efficiency from data controls, making the company more attractive to investors, and building loyalty and trust with customers; and
• The average ratio of benefits to privacy spend was 2.7:1 (i.e., for every dollar spent on privacy, the organization received $2.70 worth of benefit). Almost half of the participants in the Study (47%) are seeing greater than a two-fold return on their privacy investments.

Measuring and Valuing Privacy Accountability: The second section of the Study involved measuring and valuing the privacy accountability of organizations against the CIPL Accountability Wheel, which is a data privacy accountability framework comprised of the seven essential elements of accountability, (1) leadership and oversight; (2) risk assessment; (3) policies and procedures; (4) transparency; (5) training and awareness; (6) monitoring and verification; and (7) response and enforcement.

According to the report, survey respondents were asked to evaluate their progress on each of the seven elements of the Accountability Wheel on a scale from 1 to 5, with 5 representing the highest level of maturity of an organization with respect to a specific element. Key takeaways from this section of the Study included:

• The overall average accountability score for organizations was 3.65/5, with 33% of companies scoring over 4.0;
• High accountability scoring organizations spend more on their privacy programs but see much greater benefits than organizations with a low accountability score ($1.4 million in additional benefits);
• Impact and costs of a breach were significantly lower for high accountability scoring organizations with such companies experiencing 19% less downtime for breaches, 28% fewer records impacted by a breach and 10% lower breach costs; and
• Organizations with accountability scores above 4.0 averaged only 3.6 weeks of privacy-related sales delays compared to 5.5 weeks for those organizations with a low accountability score.

Value of Privacy Certifications in the Buying Process: The final section of the Study involved examining the value of privacy certifications in the buying process. Privacy certifications are formal accountability schemes involving some form of third party review and approval, which help to demonstrate accountability to regulators, business partners, clients and individuals. This section of the Study concluded:

• Privacy certifications represent a buying factor when selecting a vendor or product for 82% of organizations worldwide;
• Although the Study revealed that privacy certifications are an important buying factor across all countries surveyed, particular importance is placed on certifications in India (95%), Brazil (95%) and China (94%).