How to Acquire Budget for Your Privacy Program

Written by Ray Pathak
on November 21, 2018

One of the most common questions we are asked is, “How do I make a business case to acquire budget for my privacy program?” This blog outlines the key responsibilities involved in establishing and maintaining a privacy program, identifies the possible costs of non-compliance, and helps make the business case for acquiring the tools to achieve and maintain compliance.

While the threat of the GDPR’s extremely steep fines made a compelling case for the budgets of many Privacy Offices in the lead-up to May 25th, 2018, this date was only the beginning. Going forward, organizations must now demonstrate an ongoing capacity to comply and be ready to report such compliance to a supervisory authority at any point in time. Hard on the heels of the GDPR, the CCPA with its January 1st, 2019 compliance date and 2020 effective date are also causing many Privacy Offices to revisit their budgets to meet compliance obligations.

Key Responsibilities Involved in Establishing and Maintaining a Privacy Program and the Costs of Non-Compliance

Identifying ongoing privacy compliance requirements and keeping informed

In order to remain current and compliant, the Privacy Office must keep informed of new laws and changes to laws. It must also regularly conduct research to determine what, if any, alterations need to be made to the privacy program as a result of legal developments or operational changes. Without having the ability to keep informed or conduct ongoing legal and regulatory research, the organization risks its privacy program becoming out-of-date, non-compliant, and possibly subject to fines. Nymity’s Legal Research software solutions address these needs.

Operationalizing requirements

Once an organization understands its requirements, the next step is to either build and maintain the privacy program and operationalize those requirements. This will consist of putting in place or maintaining technical and organizational measures to build/maintain a demonstrably compliant privacy program that results in ongoing compliance. When compliance is not operationalized and an ad hoc approach is taken, the results could be non-compliance and breaches, which could lead to monetary fines and loss of brand equity. Nymity’s Privacy Office Support software addresses these needs.

Automating due to volume and complexity

Knowing when to automate is often a tricky issue. Organizations will look to automate elements of their privacy functions when volumes get too high to manage manually, the processes become too complex, or both. If an organization only has a handful of DPIA’s or access requests to process and/or operates in a single jurisdiction, automation may not be required.

However, when volumes and complexity arise, the time, accuracy, and efficiency gained by automating are, in themselves, justifications for automation resources. Without automation, manual errors and not processing access requests, records of processing, PIA’s or DPIA’s in a timely manner could increase the likelihood of non-compliance, which in turn may result in monetary fines and loss of brand equity. Nymity’s Privacy Management software solutions address these needs.

Making the Business Case for Privacy Software Solutions

Peer Benchmarking

When requesting budget, Privacy Offices are often asked how their existing program compares to those of peers. Even if an organization is not striving to be the gold standard, they want to be on par with other similar organizations in size, jurisdiction or industry. Good benchmarking software, like Nymity Benchmarks, can baseline an organization’s privacy program and deliver a powerful visual justification for resources by clearly identifying program gaps when compared to other similar organizations. Find out how Nymity Benchmarks can help. Request a free trial now.


The Privacy Office can be compliant when it has an understanding its legal obligations and regulator expectations. For both existing and new data processing operations, good legal research software will support the understanding and discovery of legal obligations and regulatory expectations, including when they change. This allows the Privacy Office to inform the business of any operational changes required to continue to ensure compliance. Find out how Nymity Research™ can help. Request a free trial now.


The concept of accountability has broad international support and has been adopted in the GDPR as a compliance obligation. As seen in Articles 5 and 24, the GDPR calls for organizations to put in place appropriate technical and organizational measures to remain compliant.

Thousands of organizations around the globe have used the free Nymity Privacy Management Accountability Framework™ to put in place appropriate technical and organizational measures. The Framework helps organizations structure their privacy management programs, justify budget decisions, explain and validate implemented technical and organizational measures, and identify gaps in a program. Using the Framework, Privacy Offices can build and maintain an accountability-based program. Find out how Nymity Planner and Nymity Templates can help in using and implementing the framework. Request free trials.


Not only should the risk of non-compliance be borne in mind, but also the risk to individuals whose information is being processed, the risk of violating contracts with 3rd party processors, the risk of not complying to an access request in an adequate and timely manner, and the risk of data breaches need to be considered. There are many risks that good software solutions can help identify and mitigate.

The threat of hefty fines associated with non-compliance and breaches have served to help justify budgets in the lead-up to major regulations like the GDPR, but ongoing compliance is essential. Nymity’s Privacy Management Software can help Privacy Offices identify and mitigate these risks. Find out how Nymity’s ExpertPIA, Nymity Attestor and Nymity DSR can help. Request free demos.


Organizations that find budget for the right software are able to demonstrate long-term savings, by using solutions that support and enable compliance with all relevant worldwide legislation – without additional effort. Such organizations also save on outside counsel fees, by gaining sufficient knowledge to have more efficient interactions with legal. Additionally, they can measure the performance of their privacy program, direct resources at poorer performing areas, and save time and money through automation versus adding headcount or using manual tools.

6 Software Vendor Considerations

When selecting a vendor for privacy software, there are a number of attributes that should be taken into consideration, including:

  1. Depth of Knowledge and Expertise. Do they have an internal research team consisting of privacy professionals with years of operational experience? Do they have former CPOs and former regulators on staff? Do they have ongoing regulator outreach and research projects to help understand regulator expectations?
  2. Exceptional Support. Do they have dedicated privacy experts assigned to each account to help with day-to-day management and post-sales support/customer success?
  3. Thought Leadership. Do they have full-time dedicated employees that create and publish thought leadership materials, such as frameworks and methodologies, or do they just republish regulator material or verbatim text of laws?
  4. Proven Track Record. Do they have a track record in privacy management prior to the GDPR? How many years have they been doing privacy management? What were their founders doing before the GDPR, and do they have a track record of investing for the long term?
  5. Multi-Jurisdictional Focus. Do they focus primarily on the GDPR, trying to leverage the current trend, or are they focused on privacy compliance in all jurisdictions? Do they support over 860 laws? How many laws do they support?
  6. Time Tested Innovation. Do they come up with innovative software that is built on top of a research or framework layer? Do they have expertise built in? Is their software future proofed, and has it been time tested in different industries and jurisdictions?

Overall, the bottom line is that privacy software forms the cornerstone of most Privacy Offices’ compliance programs, providing them with a solid foundation of knowledge and tools. For 16 years, Nymity’s mandate has been to support the Privacy Office with innovative, research-driven privacy compliance and accountability software, along with powerful thought leadership. We are known as pioneers in the privacy compliance software space. Find out how our software can help your Privacy Office.

You may also like:

GDPR ccpa
New IAPP and TrustArc Report Reveals a Majority of Companies Are Embracing a Single Global Data Protection Strategy

Survey explores differences in data and privacy practices based on company size, location, sector and geographic reach

GDPR ccpa
TrustArc’s Nymity Awareness Tracker Enables Privacy Knowledge Across Entire Business

Tailored Information Empowers Privacy Champions at Every Level

GDPR ccpa
REIMAGINING PRIVACY: TrustArc Acquires Nymity

Terry McQuay, President and Founder at Nymity Today we’re pleased and proud to be announcing that Nymity, the company ...