Why IT is essential to data privacy: a business case to your CFO

Happy New Year! For the past 10 years, us privacy professionals have tried and tried and tried to make a business case for investment in privacy compliance. Let's try a radically different approach in 2025!

ROI Analysis: Privacy Compliance Investment

Who is this intended for: CEO, CFO

Executive Summary: Recent market data shows we're actively losing revenue opportunities due to insufficient focus on privacy compliance. Most notably, we recently lost a $417,000 deal specifically because we couldn't demonstrate sufficient data privacy controls to the client. This represents just one identified instance of revenue leakage.

Business Impact:

• Direct Revenue Loss: $417,000 (single documented case)
• Estimated Annual Revenue at Risk: $2.5M-3M (based on current pipeline requiring privacy attestation)
• Market Position: Falling behind competitors who have achieved privacy certifications

What we are hearing:

-->Data privacy compliance: "This is an expense with no reward"

Also: Information Security will protect data enough (data access….”is the same?!@?!” as data uses); We have a privacy policy and that’s enough (that’s the website privacy notice – does not address operationalization of privacy compliance); IT knows where the data is and who has access to personal data (cat meme : huh???); We don’t get inquiries so we don’t need to focus on this (that means we don’t need a PI inventory or a DSAR process); The website privacy notice is written by legal so IT does not need to be involved (ahhhh…..so wrong)

-->IT systems and infrastructure: "This is an expense with no reward"

Also: Who cares about patches, other software updates, we use the major tech products with adequate security and updates; IT knows their systems they manage (except they do not because shadow IT and cloud apps that are subscription based and bypass IT); Several licenses may have expired (anti-virus, website encryption certificates etc.) and this is going unnoticed  - therefore not protecting the IT infrastructure

Fact: Most updated equipment and OS, applications etc. are provided to the C level and equivalent – therefore they don’t know the rest of the employees and infrastructure is sub-par!!!

Competitive Analysis: Market leaders (including primary competitors) have already invested in comprehensive privacy compliance, for example:

• GDPR compliance
• CCPA framework implementation
• Other jurisdictions’ privacy legal and regulatory requirements
• Privacy-focused certifications such as SOC2 or PbD ISO31700. These investments are now standard requirements in enterprise-level contracts.

Clear gaps in perception of roles, responsibilities and facts on the ground:

1.       IT does not understand how to manage personal data usage (they frankly don't care and they shouldn't)

2.       IT does not have the means to implement “policies” for data handling – data classification does not cover consent and choices for example

3.       Business Requirements may not take into account data privacy compliance requirements – therefore IT will build based on these requirements, therefore possibly missing

4.       The organization cannot demonstrate adequate privacy compliance to a potential new client – unless they go through a certification process and remediation – which may result in losing a great deal

5.       Privacy relies on adequate privacy by design controls but also on the underlying IT infrastructure, software versions, encryption level, other security and OS level controls

6.       Any variations in the above opens the organization for privacy incidents, breaches, legal liability and loss of trust and new clients.

7.       Understanding visitor traffic and who is embedded in your website(s)  

8.       IT and cyber security do not know they need to operationalize the “image” your present in the privacy notice on your website

9. IT knows their systems they manage but not what the business brings in or uses cloud apps to expand their operations

10. Some parts of your IT infrastructure are 10 years old and have not been brought up to speed and matched with the correct equipment

Risk Mitigation (business direct impact):

• Protect against lost sales opportunities
• Protect against regulatory scrutiny and able to demonstrate ongoing compliance with applicable laws and regulations
• Reduce risk of privacy-related incidents (different than security caused privacy incidents)
• Maintain competitive position in enterprise sales
• Enable expansion into regulated markets

Recommendations:

• Month 1-2: Give IT help to have a clear inventory of their systems, OS versions, software licenses etc. This will help privacy compliance tremendously;
• Month 2-4: Implement the internal Privacy Policy by introducing adequate business level controls; Get IT to work with Privacy to understand the baseline privacy compliance vs. desired and achievable compliance that can be maintained (ongoing);
• Month 4-6: Implement the remediations identified – cover the big gaps but also find low hanging fruit (these will educate the business the most);
• Month 6+: Start certification prep process. Continue until full operational compliance is achieved;
• Month 10+: (for you to fill in the blanks)

Would you like me to expand on any particular aspect of this business case?