Privacy law, GDPR and the liability of demonstrable accountability on organisations is not going to go away. With the exponential increase in consumer awareness, business pushing for higher data utility and private equity/institutional investors looking for demonstrable “social good” in their due diligence, ignoring data privacy is not an option
Privacy Debt therefore, is the cost of the unmanaged privacy risk that a company builds up whilst innovating and growing without consideration for data privacy. There are three elements:
1. Current Operating Debt: total cost of the risk carried by current operations vs current and imminent privacy compliance gaps (e.g. potential penalties, prosecution, potential cessation of processing orders, remedial costs)
2. Current Brand Debt: Total cost of the risk carried from gaps between consumer privacy expectations and current privacy protection capability. (e.g. reputation damage from breach impacting customer loyalty, online traffic, partnering, investment and M&A)
3. Capability Debt: If a business expands into new markets, acquires new companies, employs more data utility or moves to cheaper online applications without consideration of privacy by design and data protection. Then, the body of work and cost to change becomes exponentially bigger as time passes and business changes continue.
Like any debt there is a limit to that which a business can carry without impact. With privacy however, often it only becomes evident after a major incident because senior leadership has not made data privacy and cybersecurity an investment priority for business as usual.
With ESG accountability requirements, “social good”, sustainability, and data protection become an integral part of showing a business’ legitimacy to customers and investors alike. I believe the ability to show demonstrable accountability from the privacy function to the executive and from the executive to the outside world will become more critical.
Privacy debt, therefore is a useful tool to be able to quantify to the executive, the costs of risk in terms of time, money and restriction of capability i.e. not be able to close an acquisition. I hope that this will help those of you out there that are struggling to justify budget, headcount and visibility for your privacy program.