How much do companies around the world spend each year on data privacy services to fix the problems we read about in the headlines every day? Nobody as far as I can tell has published an answer to this question. So this month I set out to pull together the best available data points on the market.
What did I find out?
The first discovery was that you need to define what you're estimating. Because no one before Computerworld has sized up the privacy sector, that task falls to us.
Defining the market
For starters, I think three segments comprise the sector: privacy advisory services, privacy operations and security of personal information.
- The privacy advisory market includes what law firms and consultancies do: help organizations identify their privacy risk and compliance gaps, build their privacy programs and defend against privacy legal claims.
- The privacy operations market includes what software and managed services firms do to help govern a privacy program: governance risk and compliance software; subscriptions for privacy training, news and information; privacy seals; and platforms for harmonizing privacy opt-ins and opt-outs.
- The personal-data security market includes the tools and technologies used to protect the confidentiality of personally identifiable information (PII), such as encryption, masking and content scanning.
All three subsectors are related, but different providers serve each one and they're at different stages of maturity and market-data availability. Among them, the privacy advisory market offers the best data, so that's where I focused this estimate.
Getting to the numbers
There are at least three ways you can size up the dollars in the privacy advisory market:
- The tally method. Add up the number of privacy lawyers and consultants via LinkedIn, firm websites and the directory of the International Association of Privacy Professionals (IAPP) -- and make assumptions about average rate-per-hour and billed hours per year;
- The survey method. Survey the buyers for what they're spending each year on these services; or
- The market-share method. Use the known revenues of a leading provider or two, and use market-share assumptions from market activity to extrapolate a full-market estimate.
In my March 2006 column, I only used the first method and put the U.S. privacy consulting market at $400 million. It was a sufficient and reliable method back then because the pool of providers was limited and knowable. This time, now that I have access to more information in my new role, I used all three methods. And, what a relief. They all pointed to the same ballpark number: $3 billion.
Here are some key assumptions and interesting factoids:
- Roughly 85% of the global revenues originate from the U.S. market, a share that is poised to decline as Europe nears completion of its massive privacy-law overhaul and European spending increases.
- Legal services account for two-thirds of the total, a portion that also appears to be declining as companies increasingly operationalize their privacy legal advice.
- Market share is highly dispersed across large firms, boutiques and independent consultants, with no single firm capturing more than 5% of the global pie.
Today's privacy advisory market looks like the information security market did 10 years ago as the Payment Card Industry Data Security Standard and mandatory data-breach notification was coming full swing. And where is that market heading today? Last month, Gartner projected that spending on information security vendors will hit $101 billion by 2018, at least a quadrupling over the past decade.
Several indicators point to privacy following the same meteoric rise as security:
- 2014 saw record-high levels of global privacy enforcement levels, and it's just getting going. The European Union is on the verge of updating its privacy law to include a new fine capacity of up to 5% of global revenues;
- Digital disruption -- namely, big data, the internet of things, mobile apps, cloud computing and augmented reality -- is picking up steam with no easy privacy solution in sight;
- State-sponsored and organized crime continue an unabated string of spectacular breaches of personal data; and
- Business models in nearly every industry continue to transform toward more intensive uses of personal data for competitive advantage.
If the $3 billion estimate is in the ballpark, and it's true there's no one dominant market leader, an upcoming wave of corporate spending is totally up for grabs.
Jay Cline leads the data privacy practice at PricewaterhouseCoopers LLP.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.