Organizations across all sectors face increasing pressures to address privacy and security risks while maintaining operational excellence. Whether implementing digital solutions, adopting artificial intelligence (AI) technologies, or safeguarding sensitive information, privacy and security programs are no longer optional—they are fundamental.
Building the business case for investment is one of the biggest challenges for people responsible for privacy and security. Why would Boards of Directors and executives spend limited resources on privacy and security when the organization faces so many competing priorities? It’s often considered crass to express privacy and security in terms of dollars and cents, but it’s necessary for privacy and security officers to demonstrate a return on investment (ROI) for their programs.
ROI differs depending on whether you are in the public or private sector. In the public sector, ROI often focuses on cost avoidance. How do we avoid the cost of a privacy breach, an investigation by the privacy commissioner, or damages in a class action lawsuit? In the private sector, cost avoidance is an issue, but other, more positive factors also come into play. Maybe privacy and security are features that customers are willing to pay for. Perhaps privacy and security can provide a competitive advantage.
Determine the Investment Required
How much should an organization “invest” in a privacy and security management program? The answer will vary depending on the organization’s size and complexity. There is a lot of guidance available as to what constitutes a comprehensive privacy and/or security management program. For privacy, look to the CSA Model Code for the Protection of Personal Information. For security, ISO/IEC27002:2022—Code of Practice for Information Security Controls is the definitive guide.
Some of the factors to be considered in the ROI analysis will include:
- Staff: What is the cost of a privacy officer, a security officer, and support staff?
- Program development: what will it cost to develop policies and procedures, business continuity plans, incident management protocols, training, and other management tools?
- Risk assessment: What will it cost to assess and manage risk? Do you need a Privacy Impact Assessment and a Threat and Risk Assessment?
- Program management: What will it cost to manage day-to-day activities such as monitoring and auditing, training, complaint handling, and access requests?
- Technical safeguards: What will it cost to implement technical safeguards such as firewalls, intrusion detection, encryption, and audit logging?
- Compliance Frameworks: Align with global standards and regulations, such as ISO 27001, GDPR, and emerging AI-specific legislation (e.g., EU AI Act).
Calculating the Return – Cost Avoidance
No matter how you cut it, privacy breaches are expensive. A Cost of a Data Breach Report 2024 published by IBM revealed that the global average cost of a data breach was USD 4.88 million, which is a 10% increase from the previous year and the highest total ever. This figure highlights the significant financial impact that data breaches can have on organizations. The average cost per record in a data breach in 2024 is USD 164. This figure highlights the significant financial impact that each compromised record can have on an organization. Beyond privacy breaches, losing IT infrastructure due to a ransomware attack or denial of service incident can devastate operations, even if sensitive data isn’t compromised.
Among the costs to be avoided by having an effective privacy and security program are:
- Fines and sanctions: Non-compliance with privacy and security laws can lead to steep penalties. For example, violations of Canadian privacy laws, GDPR, HIPAA, or AI-specific regulations may result in multi-million-dollar fines and sanctions.
- Litigation and Legal Costs: Class-action lawsuits and other legal actions related to breaches are increasing globally, further driving up costs. In addition to damages awards, the legal costs of defending the organization can be formidable.
- Notification: Most privacy legislation requires that all affected individuals be notified of any breach of their personal or personal health information. This includes informing individuals about the measures you are taking to mitigate any potential harm or risk.
- Damage to Reputation: While reputational risk is an issue for most organizations, it is especially harmful to private sector organizations, which may lose business to their competition in the event of a breach. Trust is a key asset in today’s market. A breach or security failure can erode consumer confidence, impacting customer retention and future growth.
- Business interruption: A security breach that causes the loss of a critical information system can result in significant costs, including lost productivity, disaster recovery, and business continuity.
- Cyber Insurance Premiums: Organizations with robust privacy and security programs can reduce insurance premiums and improve coverage terms.
Calculating the Return – Revenue Generation
We tend to dwell on the negative in the privacy and security world. However, some real revenue-generating opportunities are associated with having a comprehensive privacy and security program. These include:
- Procurement requirement: Many organizations consider Privacy Impact Assessments, Threat, and Risk Assessments, SOC2 Type 2, and ISO27001 certifications as part of the procurement process, especially for new innovative solutions. Companies that meet the requirements have an advantage over those who do not.
- Consumer confidence and trust: Despite consumers’ fickle natures and propensity to be somewhat cavalier in their behaviours, there is growing evidence that they prefer products and services that protect privacy, hence increasing loyalty and market share.
- Innovation Enablement: Addressing privacy and security concerns early enables organizations to adopt new technologies, such as AI, with confidence and compliance.
- Operational Efficiency: Investments in privacy and security frameworks reduce inefficiencies caused by ad hoc fixes and strengthen overall resilience.
- Competitive Differentiation: Companies with robust privacy and cybersecurity credentials can market these as value-added features, particularly in highly regulated sectors like healthcare and finance.
- New Market Access: Privacy and security certifications can serve as passports to enter global markets with stringent privacy requirements, such as the EU (GDPR compliance) and US (HIPAA for healthcare).
Privacy and security investments are no longer optional—they are strategic imperatives. In today’s interconnected and technology-driven world, these programs protect organizations from threats while enabling them to thrive. By demonstrating the ROI of privacy and security, organizations can build the trust, resilience, and innovation required for sustained success.
Over time, the business case will get easier to sell. However, privacy and security officers must keep their pencils sharp to ensure a decent return on investment for every dollar spent.
Authors:
Patrick Lo, CEO, Privacy Horizon Inc.
Brendan Seaton, Principal, eHealthRisk Group