My cartoon depicts the discrepancy in the security and privacy budgets at many organizations. Of course, the cartoon is an exaggeration. In an IAPP survey of Chief Privacy Officers at Fortune 1000 companies in 2014, privacy budgets were nearly half of what security budgets were. That’s actually better for privacy than many might expect. Outside the Fortune 1000, I think that privacy budgets are much smaller relative to security.
Fortunately, it does appear that privacy budgets have increased according to the 2016 IAPP-EY Annual Privacy Governance Report which surveyed 600 privacy professionals from around the world. Though the data captured in 2016 has far more details, comparing the charts published by the IAPP in 2015 vs 2016, you can see a significant increase in total privacy spend.
2015 Privacy Budgets
2016 Privacy Budgets
However, still nearly 70% of Chief Privacy Officers surveyed in report from 2016 felt that their budgets were insufficient to meet their privacy obligations – up slightly from 62% in 2015.
Half of the budgets are allocated to salaries and travel while the other half is split between professional development, technology, consulting services and outside counsel. This has remained a relatively stable split.
While only 34% or respondents saw privacy budget growth on the horizon in 2015, a significantly higher percentage of respondents (57%) were optimistic that privacy budgets would increase even more in the 2016 survey.
About half of the respondents in 2016 felt that not enough was spent on privacy training in their organizations.
The best thing organizations should do is to spend like crazy on outside training vendors . . . in my totally unbiased opinion : )
GDPR Impact on Privacy Budgets
With the obligations of the GDPR being activated in 2018, organizations need to increase their privacy budgets now to ensure they are ready. 35% of companies surveyed by the IAPP indicated they would be increasing their privacy budgets as a result of the GDPR. According to GDPR consultant Chiara Rustici [link no longer available], “For businesses that want to minimise risks, allocating budget to train their own employees to grasp GDPR requirements and empower them to actively find their own solutions is the safest bet.”
Source for all charts: IAPP-EY Annual Privacy Governance Report 2016
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy and security awareness training. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers. Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 4-7, 2017 in Washington, DC).
Workforce GDPR Training
A short (7 mins) accessible intro to the GDPR
The Rude Refrigerator: A Privacy by Design Story
A short (4 mins) humorous vignette about
addressing privacy early in the design process