Total privacy spending across the biggest U.S. companies is predicted to rise to $3B in 2015.
Earlier this month, the International Association of Privacy Professionals released its inaugural report of Benchmarking Privacy Management and Investments of the Fortune 1000. The goal of the research effort was to provide benchmarking data for privacy programs, spending and the influence of privacy leaders within corporations. The report reveals considerable variation across the Fortune 1000 and provides interesting insights into the current state of corporate privacy and how top companies are managing privacy concerns.
IAPP queried approximately 275 privacy leads at Fortune 1000 companies in the U.S. and got close to a 23 percent response rate, providing what it calls "one of the most comprehensive samples of corporate privacy leaders ever assembled."
At the outset, respondents were asked to characterize the maturity of their own privacy programs from "pre-stage" to "mature stage." The results were: 25 percent Mature; 33 percent Late Middle Stage; 33 percent Middle Stage; 7 percent Early Stage; and 2 percent Pre-Stage. Not surprisingly, mature stage companies reported having larger privacy budgets and more privacy employees who had more responsibilities within their corporations than less mature corporations.
The total privacy spending across the Fortune 1000 was estimated to be $2.4 billion, with an average (mean) privacy budget of $2.4 million per company, or about $76 per employee. As might be expected, companies that are further along on the maturity scale have much larger budgets than those in earlier stages. Approximately 12 percent of companies spend $5 million or more on privacy, while 16 percent spend less than $500,000.
Salaries for privacy staff constitute the largest internal privacy expenditure. Almost 25 percent of privacy leaders make between $100,000 and $150,000 per year. Twelve percent earn more than $300,000. Interestingly, women outnumber men almost two to one in the highest earning bracket. Over 75 percent of privacy professionals hold the IAPP's Certified Information Privacy Professional U.S. certification, and 62 percent also have a JD.
Outside counsel is by far the largest external privacy cost, estimated to constitute 50 percent of the external budget. Other outside costs include consultants for privacy assessments, privacy training and data inventory and mapping.
Looking ahead, privacy budgets are expected to rise. IAPP is anticipating a 20 percent increase in privacy spending, for a total of $3 billion in 2015.
Stark differences exist among Fortune 1000 companies when it comes to hiring privacy professionals. Mature stage companies have a mean of 25 full-time privacy employees. Late Middle stage companies have 5.9, while those in the pre-, early or middle stage have only 3.3.
Privacy leaders are usually in their 40s, almost equally divided by gender, and have an average tenure of 3.5 years in their current privacy program. One third of privacy leaders report that their jobs entail more than privacy.
Privacy leaders work most closely with infomation security professionals (93 percent), followed by legal (89 percent) and information technology (79 percent). It follows, therefore, that privacy professionals need to be able to "speak two languages." Trevor Hughes, President and CEO of the IAPP, says, "Privacy professionals with strong translation tools will be in high demand. Companies have a real need for people who can meaningfully communicate with both legal/compliance and infosec/IT."
As reflected in future budget estimates, privacy hiring is on the rise. One third of companies expect to hire full-time and part-time privacy employees in 2015. IAPP estimates that there will be 950 new, full-time privacy hires in 2015 and another 2,200 employees will have some responsibility for privacy issues.
Looking forward, Hughes states that "big changes are coming. Change will be driven by growth, spending and executive focus." He notes that IAPP "is committed to repeating this study every year to provide important benchmarking data for companies as they continue to address these evolving and important privacy issues."
Judy Selby is a partner at Baker & Hostetler in New York.