One of the joys and frustrations of working in data protection and privacy is the way the GDPR uses language. Controllers and processors must provide the ‘necessary’ resources and implement ‘appropriate’ organisational and technical measures. Words like that can seem unhelpfully subjective, so it’s important that Privacy Teams have the skills to explain what is ‘necessary’ and ‘appropriate’ – and why in some cases it might be beneficial to do more.
In some cases, data protection authorities have issued specific guidance about what is and is not permitted, and where this exists it should be followed. This should be simple to explain to the Board.
This article goes through the cases where no guidance exists, or where a Privacy Team believes it would be beneficial to do more than the minimum.
The first thing to consider is what category of investment you are talking about. Business leaders typically aim to do two things: make the business more efficient, and make it grow. Understanding which of these two objectives your project is designed to achieve is fundamental to building your case to do it.
Privacy professionals often think of their drivers in terms of ethics and legal obligations, so it may seem counter intuitive to think of privacy projects in these terms. However, the GDPR is specifically designed to support innovation and trade – so privacy projects actually lend themselves to these specific thought processes. And it is always easier to influence people when you are able to describe things using their frame of reference, or thought process…
Privacy and growth
Most privacy projects should be business growth projects. Think about it – the original GDPR readiness project was a business growth project, Privacy by Design is about business growth and data subject rights are generally about business growth too. This is a great thing, because business growth will always be the most appealing topic of conversation for Boards.
There are two aspects to growth: non-impedance and active encouragement. Non-impedance means reducing or removing factors that make it harder for the business to grow. Active encouragement means increasing or introducing factors that make growth easier. Privacy can affect both of these aspects, so it is important to consider which is the most relevant to your project.
Inadequate privacy practices can impede growth in three main ways: through lost sales, lost opportunities and lost margins. Typically, these issues will be relevant when making the case for why investment in a particular control is necessary.
Poor privacy typically results in lost sales when the target market is not prepared to buy a product or use its features because of privacy concerns. This is connected with reputational risk. For businesses selling to other businesses, this can be very obvious. Large companies seeking data processors are increasingly including data protection questions in their Invitation to Tender documentation. In these cases, it is clear that satisfactory answers are a minimum requirement in order to be considered for the opportunity. If this is happening in your organisation, it is a very strong pillar for your privacy investment case.
For businesses selling direct to consumers, the effect may be less immediately apparent. However, it is still real and can be quantified. As a starting point, research such as the 2018 Which? report Ctrl, Alt or Delete can provide broad indications of the market potential for products with different privacy orientations.
According to Which?, 13% of British people are in the ‘Liberal’ category, which means that they are least concerned about the privacy implications of data processing. 35% are in the ‘Tolerant’ category which means they are most concerned about data being sold to third-parties. 29% are ‘Concerned’ and uncomfortable about how data about them might be used, and finally 23% are ‘Anxious’. Clearly, the more ambitious a company’s growth targets, the more important a strong privacy orientation will be – because it will increase the number of people prepared to buy the product or service and use the features it offers.
The GDPR guidance recommends the use of focus groups and privacy teams to encourage market research to include questions about privacy and data processing expectations when new products and services are developed.
Lost opportunities refer to opportunity costs, rather than sales. These are the things businesses couldn’t do because they were otherwise engaged. The ICO may only have issued one fine so far under the GDPR, but it has been very clear that it has been engaging with businesses and encouraging them to comply. This may be less public, but it is not a soft option. Regulators provide ‘encouragement’ by carrying out investigations and recommending action plans, which must be completed quickly in order to avoid sanctions.
Any business that finds itself under the microscopic focus of ICO engagement and encouragement will be expending a considerable amount of resources on privacy, and not according to a timetable of its own choosing. This diverts resources and attention away from growth projects, which has a compound effect on growth over time.
Explaining the implications of this issue requires Privacy Teams to clarify the resource implications if a particular privacy decision is made during the main implementation phase, or later under duress. These implications can vary significantly, and it is important to understand them fully. In some cases, retrofitting a privacy requirement can require a product or service to be withdrawn completely whilst a new version is developed; in others it may require one or more planned features to be dropped from a release to allow the privacy functionality to be included.
Here, lost margins mean reduced profits due to costs incurred to cover fines and rectify issues.
Risks of this natures are quantified by multiplying the expected impact by the likelihood of the impact occurring. In other words, if the business thinks there is a 10% chance of a £1,000 cost being required, it will account for the risk as being worth £100.
With that in mind, it is helpful for Privacy Teams to ensure that Boards are starting with the right numbers. If Boards think only about the risk of being fined by the ICO, they will probably set the likelihood of that risk occurring at about 0%, as so few fines have been levied under GDPR in the UK to date.
However, this is not the only potential cost that can arise from privacy failings. Others include the costs of compensating customers who have suffered personal data breaches or other issues; the costs of investigating and resolving complaints; and in severe cases, the costs of defending and potentially losing lawsuits. Each of these has a different associated cost and likelihood, which Privacy Teams can calculate.
Considering each of these issues in turn enables Privacy Teams to calculate the impact that failing to implement particular controls could have on the business’ ability to achieve its sales objectives.
More positively, good privacy decisions can actively support a business to meet its sales objectives. The GDPR was designed to encourage data-driven innovation by giving individuals the confidence to provide their data to organisations and by giving organisations the confidence to use that data.
Privacy Teams wishing to make a case for investment in privacy-driven innovation need to consider sales and marketing issues such as customer expectations, competitor activity and the ability to address new market niches.
Customer expectations are very important to all businesses. Improving the ability to meet and exceed expectations improves customer retention and increases word of mouth recommendations. One of the ways businesses set customer expectations is through their business ethics – their vision, values and brand promises. The Right to be Informed means that the approach to privacy can be an important element of communicating the authenticity of those promises.
Organisations need to publish information about how they process data in privacy notices. The information provided here, and the way in which it is presented, provides verbal and non-verbal information about how well the organisation aligns what it says with what it does. If an organisation is not able to communicate processing in a way that clearly demonstrates that it is living up to its values, it is neither meeting nor exceeding customer expectations and this can result in lost sales.
Privacy Teams need to be able to explain the effect of privacy decision-making on the information that will be provided to individuals and the effect it is likely to have on retention and recommendations. Over time, Privacy Teams will be able to gather evidence of the impact of different privacy notice updates on these areas. Focus groups can also be used to help Privacy Teams understand the effect of different approaches to privacy decisions.
Privacy Teams should ensure that competitors’ products and product features are monitored for evidence that increased privacy investment is necessary to maintain or press an advantage. The GDPR requires organisations to consider the ‘state of the art’ when making privacy design decisions, and competitor activity reviews can identify when your products and services are falling behind.
Where privacy investment has the potential to support or drive sales, Privacy Teams may be best placed to help the business recognise the opportunity and understand how to translate it into innovation. Making the case for this type of privacy investment requires Privacy Teams to be able to articulate the potential benefit and the work required so that marketing and operations teams can assess the market opportunity and need for change.
Examples of relevant competitor activity include: where privacy becomes more explicitly part of sales and marketing communications; where uprated privacy enhancing technologies become available; or where poor privacy performance by a competitor starts to harm their reputation. These may be more obvious to a Privacy Team than to any other part of the organisation.
The Privacy Team needs to be able to clearly explain what is happening, the effect it is having on the competitor or the market and the costs associated with taking action in response.
New market niches
Privacy Teams may also be best placed to spot some types of new market niche, where a particular privacy orientation or specific privacy practice might be required. This may be a result of a new law affecting certain customers, an emerging technology or a change of attitude amongst a particular group of consumers. In these cases, the privacy implications may not be obvious to other areas of the business, or the innovation opportunity arising from the implication may not be obvious.
Here again, the Privacy Team needs to be able to clearly explain what is happening, the effect it’s having on the market niche, the costs associated with taking action in response and enough information to help the business identify the size of the market opportunity.
Privacy and efficiency
Some of the tasks that the GDPR requires organisations to carry out do not bring growth opportunities, and in these cases Privacy Teams will need to consider efficiency savings when making the case for investment. These include tasks such as managing risks, overseeing compliance, facilitating data subjects to exercise their rights and maintaining records.
Efficiency savings typically result from improvements to direct and indirect costs. Direct costs include staffing costs and recurring fees. Indirect costs include opportunity costs – which generally means the amount of time the person carrying out the task would otherwise be spending on growth-oriented tasks.
Making a case for privacy investment in these areas means calculating the direct and indirect costs associated with the current approach and comparing them with the costs associated with the proposed approach. For example, this might mean calculating the time saving associated with managing privacy risks using privacy management software, such as CyberComply or OneTrust. Privacy Teams should expect that investment will only be agreed if they can demonstrate a clear efficiency improvement in a reasonable time frame.
In many cases, privacy investments will benefit organisations in more than one of the listed ways. The clearer Privacy Teams can be about the benefits, and the more able they are to demonstrate the effects of privacy decisions on organisational impacts – the better they will be to advocate investment for privacy.
By Camilla Winlo, Director of Consultancy at data protection and privacy consultancy, DQM GRC.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.