All compliance activities are cost centre rather than revenue centre based activities within the balance sheet equation of businesses. This therefore for consultancies and vendors alike, selling their proposition into organisations, is a harder sell than it actually should be.
So what are some of the ROI metrics that can be achieved by implementing a full, holistic and well implemented Privacy (read GDPR) strategy within your business that achieves the immediate benefit to the organisation but also for the long term?
Free advertising and Brand awareness.
What I hear you say! Yes this can and will happen IF you are able to communicate effective changes to your marketing consent, privacy and cookie notices where these have been well thought out and are fresh, innovative in style and delivery that engage current and future business users. The Transparency principle. The flip side; Get this wrong legally or do a bodge job and this opportunity will probably cost you money and business; a fate that has definitely befallen a good few in the blind panic rush up to the 25th May 2018.
A business that knows itself.
A Surprising comment you may think. However most businesses don’t actually know what they do and what they have. Operational malaise or concentrating on other core activities mean that this is often a frustratingly neglected area of a business. Step in Data Protection to the rescue!
The Accountability principle for Data Processing requires a detailed understanding of your business. Hence a good Data Discovery, Data Flow / Process Mapping and Categorisation exercise that is maintained, will 100% uncover your entire business activities, as unlike other compliance frameworks that are often boundary demarcated by function, Data Protection is not. It spans your entire business; Paper, Electronic, Front of House, Back of House, IT, Finance, HR, Supply chain, Physical and Virtual (etc) presence of your operation and so will expose what you really do in even the deepest darkest dingiest spaces of your operation.
A leaner and more nimble operation.
Yes this is what all companies love from bosses, accountants and shareholders.
This is a true realisable benefit as the above will expose activities that are duplicates, triplicates or worse when it comes to processing and storage activities. Exposing pointless activities in the business is a huge benefit. This will allow you to prune your unnecessary hording activities (and so achieve the Data Minimisation principle) and start the implementation of retention policies that you so need. This will be both Paper and Electronic storage reduction, and quite likely therefore Physical and Virtual storage space. Unfortunately for some, this could mean a loss of a job too. All are positive impacting on the balance sheet.
The overhead of Data Breaches and DSAR’s (Data Subject Access Requests) are substantive to any organisation and you are obliged to have these in place whether you like it or not. Indeed, nothing demonstrates the privacy maturity model of your business like the above two areas.
A Privacy Programme that has been well implemented and as such, the Accountability registers are all in place, is fully integrated into the Change Management of your business in all areas (not just IT), will ensure that the effort of management of these activities is minimal and therefore saves the business money.
You have the direct control to reduce the potential future hits to your balance sheet.
Yes I mean those pesky fines that could materialise from your Supervisory Authority should the worst happen and the book is thrown at you for poor practises and a blatant disregard for the latest regulation.
This is of course not a complete list but they are significant tangible benefits that should be used in tender bids and for continuous positive reinforcement to the boards of the companies that you represent as DPO’s directly, via the Programmes that you report into or as Privacy Champions in the business that you are employed by.