Each year the International Association of Privacy Professionals issues a Privacy Governance Report in conjunction with EY. The latest report, released on 24 September 2019, contains a range of survey questions and responses that are instructive for organisations around the world.
The report surveyed more than 370 fully anonymous respondents across a range of industry sectors in the US, EU, UK, Canada, Australia and other countries, with employee sizes ranging from under 100 to more than 75,000.
Accordingly, the results of this diverse group cover all aspects of modern business. One of the questions asked was "how much does your organisation spend on privacy and how is that privacy budget split?"
The results are telling.
The median total privacy per organisation spend was US$400,000 per annum.
In the US the average was US$952,000 compared to just US$387,000 for EU respondents and may be less for others such as in Australia.
The main budget was on salary (dedicated internal privacy personnel) and travel (50 per cent), technology and tools (12 per cent) and outside counsel (10 per cent). Internal training was approximately 9 per cent.
Given the recent statistics in Australia around data breaches and the significant role of human error as a cause of those breaches (which we looked at in a previous article), it is interesting that the internal training budget was not more. It is clear that while tools and technology assist, they don't overcome the tendency for human error.
One obvious takeaway from this survey is that the budget for internal training needs to be increased, and quickly, noting recent reports predict the global cost of data breaches will rise to US$5 trillion by 2024.
Interestingly, 66 per cent of respondents suggested that their budgets were inadequate for the task at hand but only 55 per cent expect their budgets to increase in the next year.
As privacy regulation increases in Australia, in particular with the Consumer Data Right coming into operation and proposals for shared privacy regulatory responsibility between the Office of the Australian Information Commissioner and the Australian Competition and Consumer Commission, privacy budgets will need to increase simply to respond to the upsurge in regulation.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.