How to benchmark?

Can you benchmark the value and costs of a data protection function?

Georg: Yes, but it’s difficult to make it meaningful.

First, there is no central repository for benchmarking data—information is scattered across industry associations, consulting firms, academic studies, and regulatory reports.

Second, existing studies often rely on self-reported data, which comes with challenges like biases, small sample sizes, and outdated information.

Third, there is no standard framework for defining and benchmarking data protection functions. For instance, while European data protection authorities provide guidance on the qualifications of Data Protection Officers (DPOs), they don’t address broader metrics for budgeting or resource allocation. Without clear regulatory guidance, it’s challenging to define appropriate investments in staffing, tools, and resources. For example, privacy champions in IT or engineering often require cross-functional expertise, but their roles are not explicitly addressed in regulations.

So companies need to undertake the benchmarking themselves?

Georg: Essentially, yes. It’s crucial to find the right reference points—otherwise, you risk making inaccurate comparisons.

Value

Let us talk about value of the data protection function first. How do you measure that?

Georg: The value of a data protection function depends on how it is used. Is it solely about compliance, or is it part of a broader strategy to drive sales and growth?

At a basic level, compliance ensures market access and reduces the risk of penalties. For example, in the EU, GDPR compliance is a minimum requirement to be taken seriously in the market.

On a strategic level, data protection can build customer trust, which is increasingly valuable. Studies from Cisco show that 94% of companies believe that their customers will not buy from them if if their data was not properly protected.¹

Integrating data protection into operations can also improve efficiency. For instance, aligning data protection with marketing strategies can streamline compliance, reduce duplication, and enhance decision-making through real-time monitoring.

Example: A retail company might focus on compliance to avoid penalties and reputational damage. By contrast, a tech company could position data protection as a selling point to build trust and stand out in the market.

Costs‍

What are the costs?

Georg: Costs depend on your organization’s context. Let’s start with personnel. The IAPP² role matrices provide useful benchmarks:

• Large enterprises: 8–12 full-time privacy staff, plus 4–6 support roles.‍
• Midsized organizations: 4–6 core roles and 2–3 support staff.
• Small organizations: 1–2 individuals, often combining multiple roles.

But this only indicates the number of professionals you might need—not their costs. These can vary significantly.

• A PhD in law or computer science: US$150,000–US$300,000 annually.
• A Master’s degree in Privacy or Data Protection: US$90,000–US$180,000 annually.
• Certified specialists without advanced degrees: US$60,000–US$120,000 annually.

Location also matters. For example, external consultants in emerging markets may charge US$20–50 per hour, while in cities like London or New York, rates can exceed US$200 per hour.

What about specific industries?

Georg: In highly regulated industries like healthcare or finance, you will need experts with specialized knowledge, such as HIPAA compliance or financial privacy regulations. These roles typically come at a higher cost due to the expertise required.

And if a company operates internationally?

Georg: International operations add complexity. Multinationals require professionals familiar with cross-border data transfers, localization rules, and jurisdictional nuances. These professionals often come with a premium price tag but are essential for global compliance.

What about technology investments?

Georg: Data protection compliance is increasingly technology-enabled. Automation tools can reduce staffing needs but require significant upfront costs, system integration, and ongoing maintenance. Long-term costs, such as upgrades and adapting to regulatory changes, are often underestimated.

Beyond automation, tools for data mapping, breach response, and risk assessments are increasingly critical too. However, these tools must align with an organization’s existing workflows and infrastructure to maximize their value.

Investment in data protection compliance technology should evolve to meet shifting demand. For example, AI is highly data-reliant, and users are more aware than ever of how their data is used. This demands not only good AI practices but also tools that allow users to exercise their data rights effectively. Currently, there’s no tool that enables users to manage their data rights across organizations seamlessly. When such tools emerge, they will likely impose significant costs on companies, which should plan for these developments.

Anything else companies should plan for?

Georg: Yes. Training programs for employees are essential to ensure compliance, as are legal fees for managing potential regulatory investigations.

Key takeaways

What are the key takeaways?

1. First, define what you want your data protection function to achieve. Is it focused on compliance, or is it intended to deliver strategic value?
2. Second, identify an appropriate peer group. Compare your organization with others of similar size, industry, and regulatory context.
3. Third, advocate for clearer regulatory guidance. Regulators could provide objective metrics on what a data protection function should deliver. Collecting anonymized data from organizations would help establish standardized benchmarks.

The development of standardized metrics and centralized benchmarking data would greatly improve the benchmarking process, enabling organizations to better align their data protection efforts with compliance requirements and broader business objectives. Unfortunately, such guidance is not yet available.

‍

Georg Philip Krog is Co-founder & Chief Legal Counsel at Signatu. Signatu is a scalable B2B SaaS platform for data modelling (metadata), managing data privacy and security information, consent management and getting data insights. He is also co-founder of the Alpine Privacy Days, a series of data protection conferences.