On March 3, 2010, the UK Information Commissioner launched a report on the “Privacy Dividend” (the “Report”), which outlines the business case for proactively investing in privacy protection. The lack of a robust business case is a common barrier to privacy investment, and too often such investment is approved only after a privacy breach or other crisis occurs.
The conclusions of the Report are unsurprising, namely that (i) personal information has commercial value, (ii) good data protection can bring business benefits and (iii) there are significant downsides to ignoring data protection. The Report also reiterates the need for direction and accountability on the part of senior management for the organization’s privacy strategy.
Against the backdrop of these conclusions, the Report offers a structured approach for Data Protection Officers to build their own business case to secure privacy investment and build a privacy culture. It highlights the key components of a privacy program, and offers a framework (including examples) for estimating both the value of personal data, and the costs of ignoring data privacy.
In launching the report, the UK Information Commissioner, Christopher Graham, recognized that there can be no ”one size fits all” approach to privacy. Instead, the Report provides practical tools to help organizations of all sizes and across all sectors to build a business case for investing in privacy.” The Commissioner challenges organizations to use the tools necessary to ensure that privacy protection is hardwired into organizational culture and governance, and urges organizations to realize the privacy dividend.