Share with your friends

Investing in data privacy

Investing in data privacy

A smart, risk-based approach is vital to long term success



Also on


How much do we need to invest to achieve data privacy? Didn’t we already fix this in the run up to May 2018?

These two questions are being asked by many business leaders – and not only because they face a future of tighter data privacy regulation. For forward-looking businesses, the need to protect data reflects its commercial value as an asset – and, if misused, its potential to become a liability.  

Above all, it’s the importance of a ‘single customer view’ to delivering the seamless services customers expect – and the simultaneous need to meet customers’ increasingly stringent expectations on trust – that’s making data privacy a business critical issue.

The fact that data privacy is becoming a permanent priority makes it essential for data privacy spending to be smart and efficient. So a better question for organisations to ask may be: How should we invest to achieve data privacy?

The short answer is that firms need to establish a meaningful link between their customer data strategy, data risk profile and their data privacy spending.

After all, every business uses data in a different way. Risk profiles and risk appetites vary widely, depending on a range of factors. These include firms’ industries, locations, business models, complexity, data maturity, processes and size.

Our experience also shows that a failure to connect strategy, risks and responses often leads to disproportionate and ineffective spending. Without a disciplined approach, firms struggle to prioritise their investments. They are also more likely to resort to improvised or manual fixes when a smarter approach could pay lasting dividends and a competitive advantage.

But what does a smart data privacy spending programme look like? In our experience, the most successful investments follow a number of key steps. They should:  

  • Clarify the future-state business model and data requirements to enable it.
  • Develop a clear view of the organisation’s data risk profile and risk appetite – including financial, operational and reputational factors.
  • Build an intimate understanding of how the business uses customer and employee data in its daily operations, and how it may evolve. That not only varies from sector to sector and from company to company, but also between different business units, departments and functions, and is made more critical when some elements of a business are leading breakthrough digital pilots outside of more traditional risk frameworks.
  • Use this dual perspective to create a risk-based framework to prioritise internal and external spending. 
  • Consider the sustainability of Privacy operational process and, where it’s convenient and feasible to do so, rely on technology and automation. 
  • Consider the potential benefits of outsourcing. For example, using an external service provider to address and remedy data breaches as and when they occur may be far more efficient than maintaining an internal incident response team which is only required occasionally.
  • Integrate data privacy into everyday processes, not only by implementing ‘hard controls’ but also via ‘soft’ cultural factors. Clear, vocal reinforcement from leaders, tailored training programmes and rewards for data sensitive behaviour can all help to embed data privacy into the company culture.

When it comes to data privacy, businesses are at the start of a long journey. The best practice models of the future are yet to emerge. In the meantime, approaches to data privacy will need to develop in parallel with evolving technology and business models. A risk-based approach and the smart use of technology, outsourcing and other innovative tools will ensure that data privacy spending is not just about compliance, but achieves lasting business improvement.


To discuss this topic further, please contact: 

Matt Malone - Partner, Head of Risk and Regulatory Transformation

Martina Algeri - Manager, Data Privacy

© 2021 KPMG LLP a UK limited liability partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English company limited by guarantee. All rights reserved.

For more detail about the structure of the KPMG global organisation please visit

Connect with us


Want to do business with KPMG?


loading image Request for proposal

Save, Curate and Share

Save what resonates, curate a library of information, and share content with your network of contacts.

Sign up today