Privacy budgets at a glance
Learn your organization's process really well, define your needs and then work backwards, and get key decision makers involved as early as possible.
From the perspective of a company finance leader, executives look for line items that can produce cost savings and/or revenue growth.
Positioning privacy as an asset is key, so work to draw a line between privacy initiatives and deal conversion, as well as ways privacy can lead to greater efficiency and cost reduction.
The following are the highlights from a recent webinar focused on practical strategies for getting the privacy budget you need in 2023, featuring Transcend's Finance Leader, Chris Shishido, and General Counsel and Head of Privacy, Brandon Wiebe. You can watch the full recording here.
Note: The following text has been modified for readability.
Table of contents
The basics of privacy budgets
1) Learn your organization’s budgeting processing really well and really early
Defining and advocating for a budget can be a complex process with many moving parts. Start asking questions early on to better understand how the budget process works at your company and how dollars are allocated each year. Get a sense of who owns budgeting decisions, what the process will be, how to submit a request, and who ends up making that final decision.
It’s also important to understand what the impacts are if your team gets more budget. Budgeting is often a zero sum game, so if you get everything you asked for that’s likely going to affect other teams. Try to learn what tradeoffs decision makers and management are having to make, as this will help you better advocate for your own resources.
2) Define what your budget should be and plan backwards from there
The process begins by developing a strategic vision for your team.
What is it you want or need to accomplish over the next year?
How do those things align with company goals?
Once you have a strategic vision of what your world looks like 12-16 months from now, you can begin the backward planning to figure out what resources you’ll actually need. Using that context, you can put together better articulated budget that ties to those goals.
3) Get decision makers onboard as early as possible
If the first time you request a line item or new resource is when you’re actually submitting the budget proposal, you’ve probably waited too long. As early as you can in the budgeting cycle, start thinking through the resources you’ll need for next year. Then, share that with your manager and get aligned on what that vision actually looks like.
Being able to show decision makers early on what your goals are and what the world looks like if you do get what you're advocating for will set you up for success when it comes time to actually submit your budget request.
A finance leader's POV on budget request best practices
The goal of framing a budget is to put it through an ROI lens, which makes it much easier for a finance team to digest.
If I were developing a privacy budget, it would be all about quantifying actual cash savings and then quantifying potential increased revenue—so literally putting a dollar amount to it.
Then it can be as simple as putting those numbers on a slide or a proposal and passing that to your finance team. Whether it’s software spend, talent acquisition, a new partnership, or working with a contractor, a budget framed in terms of ROI will be more understandable and compelling for a finance team.
When looking at a request, finance teams will often ask: what is the timeline to recoup the initial and/or annual cost for a budget line item? If you’re defining a privacy budget for the first time and you want to illustrate how much cash savings your team generates, there’s a couple paths you can take.
Calculate potential savings from process automation
If your team is manually processing your DSRs today, start by looking at work hours spent and compute costs. This is essentially prescribing a dollar amount to the cost of doing nothing.
Then calculate the potential savings from automating the process. Could your company eliminate human processing errors and free up work hours by partnering with an outside vendor? If that turns out to be the case, that’s a very good thing.
Pass that knowledge onto your finance team—showing them that the timeline to break even for a specific budget request is very real and very near term, rather than four or five years out.
Tie privacy initiatives to direct revenue growth
If it’s at all possible, try to tie privacy initiatives to direct revenue growth. This will require input from other teams at your organization, so it’s important to build cross functional alignment pretty early on.
For example, you can partner with your marketing team to assess whether increased customer trust through privacy initiatives can drive greater prospect conversion. If it can, you have something that ties directly to revenue generation, which makes a new line item so much more justifiable.
Another scenario, if you’re more advanced in your privacy budget process, is to partner with your sales team—looking at your 2023 forecast and trying to segment your customer base to identify a specific sub-segment that would like your product more if you had a higher standard of privacy.
Essentially you’re allowing your team to say that the company can compete up-market or in a new segment by investing in privacy.
All this points back to one topic—ROI. ROI is the gating decision for a lot of finance teams, so if you can tie revenue dollars to budget that’s going to help you immensely.
Positioning privacy as an asset
As privacy professionals, we tend to think about risk and harm mitigation, but those types of things don’t typically make it into a company’s goals for the year. For example, most organizations don’t have an OKR of getting sued less.
But for any risk mitigation activity, there’s usually a corresponding growth opportunity that you can describe in your request.
Does your company have a broad initiative related to customer experience, trust, and success? That could be directly tied to customer conversions. Especially in the B2C context, that trust relationship is imperative to building a strong brand.
Initiatives like eliminating dark patterns, clarifying your privacy notice, making opt-outs and privacy requests more accessible—these are regulatory requirements, but they also have an immense positive impact on customer experience and success. And, ultimately, customer conversion and retention.
If you're able to draw a line connecting privacy work and customer benefit, that’s going to be really valuable.
Investigate the relationship between your privacy stance and deal conversions
In the B2B context, another option is to look at how many times prospects have asked about your company’s privacy practices during a deal cycle. How many times did the prospect want to negotiate a DPA? Are you running into prospects that are uncomfortable signing up for your service because you can’t confirm you’ll delete all their data on termination.
On the privacy side, we characterize that as a regulatory risk under GDPR and CCPA. But on the budget side, we can also very clearly articulate cost to the company in terms of lost deals and revenue.
Tie privacy initiatives to cost reduction projects
There’s also ways to identify privacy initiatives as cost reduction measures for the business.
Can processes be improved through automation?
Is imprecise collection or over collection of user data costing your business?
Data minimization projects, which are key to a lot of early privacy programs, fit really well with company projects to improve margins, reduce hosting costs, and eliminate tech debt. If you start to look at the work your engineering or security team is doing, there’s going to be overlap between some of your privacy initiatives and cost reduction goals in other parts of your business.
Educate leadership on the cost of enforcement actions
It’s totally fine to use fear of regulatory penalties and enforcement actions as a stick to advocate for resources. But, if you do go down that route, you’ll need to spend some time educating finance and other budget decision makers on what those risks actually are.
That requires some work figuring out how to quantify those risks. Companies have lots of different approaches for doing this, but in past roles I used a fairly simple method of scoring risks.
After you’ve done a privacy gap analysis and have a long list of things you know you’re out of compliance for, score each of them on the likelihood that risk will impact your business. You can do a 1-4 rating on that likelihood. Then multiply that by the scope of the impact if that risk were to occur.
You can use that back of the napkin formula to put together a sense of what risks the company is carrying on an ongoing basis and then tie those into how your privacy budget reduces those risks long term.
Using privacy metrics to strengthen your budget proposal
There’s a ton of potential privacy metrics to look at, but I’ll highlight a few that jump to mind. In terms of how the privacy program can drive revenue, particularly in the B2B context, tracking things like:
The number of DPA’s negotiated
The number of privacy inquiries from prospects that led to a deal
The value of those deals in terms of revenue
This is a great way to draw a line between your privacy projects and the company’s bottom line.
Another thing to consider is—did you lose any customers or deals because of a privacy issue? Did you get into a conversation with a prospect, but they decided to go with a competitor because they weren’t comfortable with your company from a privacy perspective?
Quantifying that makes a really good argument for why allocating resources to the privacy team can help drive revenue for your business.
Driving greater efficiency with your requested budget
The other area of metrics to look at are how will process improvements and your requested budget drive greater efficiency—not just on your team, but across the business overall.
One example is tracking the number of audits that you get: privacy audits, third party audits, customer audits. Or, the number of privacy impact assessments you have to perform.
One big thing for a lot of orgs is the number of DSARs you have to process and how long it takes to process each one. Is your customer success team fielding DSARs manually? What’s the time impact for them as they’re processing these things?
Develop of formula for calculating risk
The last thing I’d recommend is working to develop metrics and a baseline for tracking privacy risks. If you can adopt a formula for tracking risks and then stack rank those risks based off the likelihood of occurrence and the size of downside—you can demonstrate how the budget you were allocated actually led to risk reduction.
This is not just a snapshot in time project though, it should be something you’re tracking long term. If done correctly, when you get to the end of next year, you’ll be able to show that the risk matrix got shorter because of your program’s work.
Privacy budgets through an income statement lens
I look at a budget request through an income statement lens, which I use as a proxy for the total business. Income flows up from revenue down to net income, which is basically the bottom line.
For a privacy budget though, I actually like to approach it in reverse order. This is because if you start with the bottom line, which is basically downside aversion, you focus your initial thinking on costs that flow straight to your bottom line. You can then build upwards from there.
1) Consider the penalties for non-compliance
You’re essentially asking—what is the penalty for non-compliance? What are the fines and penalties for non-compliance in your specific industry and location?
Most privacy fines are calculated on a per occurrence basis, usually meaning the number of consumers your non-compliance affected. So you can calculate a potential fine by looking at the number of consumers whose data you hold, by the maximum fine noted by relevant regulation.
That number is often so large, it can be multiples of your annual privacy budget.
2) Build out models for other common scenarios
From there, start building up to other scenarios. Talk to your security team and assess the cost of a data breach, including the impact to your brand. The security team is likely already assessing that as is, but you can actually include that number in your budget request because they do go hand in hand.
You can also include the potential upside if your team had the resources to identify and respond to a security incident super quickly.
In the more practical arena, I would look at insurance premiums. Can you realize better insurance premiums if you increase privacy controls?
These are all foundational questions and they really do establish a baseline for your privacy budget. Worst case scenario, you could add these all up and say here’s why my privacy budget is justifiable. From there you could work your way up from the bottom line to operational items.
Think about your company’s budget and then pinpoint line items where your privacy initiatives can actually alleviate costs.
3) Consider how privacy can affect revenue growth
The last area I look to, which I think is one of the most important ones, is—what’s the potential revenue growth impact of investing in privacy? Work with your sales and marketing team to assess how privacy can generate greater conversion. If your privacy budget is totally justifiable from a bottom line and has the potential to increase revenue generation, that’s really the magic combination.
Transcend is the company that makes it easy to encode privacy across your entire tech stack. Our mission is to make it simple for companies to give users control of their data.
Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent using Transcend Consent, or discover data silos and auto-generate reports with Data Mapping.