United Kingdom
Jamaica
India
A question I get asked, perhaps somewhat wryly given that I am a data privacy consultant, is whether buying (consultants) or building (new hire) privacy capabilities makes more sense? Nowhere is this question more relevant right now than in developing markets. European privacy laws have been around for seven or more years, yet from the Caribbean to India, companies are trying to figure out an approach to insourcing or outsourcing their data privacy responsibilities.
The following five factors are key considerations any company in developing markets should include in their thinking with respect to building or buying data privacy capabilities:
1. Timing
Perhaps most crucial, how much time does your organisation have as lead time before a new or amended data protection law or even a regulator 'goes live'? With more than a year, your organisation has the luxury of looking for both internal and external hires and creating a training plan to upskill in-house talent if needed. Building can be a very attractive and sustainable way over time to develop privacy capabilities.
If, however, your organisation has less than a year to adapt to a new data protection law or a regulator, you will struggle, timing wise, to get a functioning privacy programme, including hiring and training people, to an effective standard. If this is the case, buying privacy capacity through consultants may make more sense in the short term to ensure compliance and to operate as an effective stop gap while determining what privacy functions can be brought in-house versus outsourced.
2. Expertise
Are there sufficient qualified and experienced privacy experts locally? If not, are secondments with privacy experience an option? Barring these options, is there a large local talent pool of related experts such as lawyers or information security consultants interested in upskilling their expertise into privacy over time?
The level of expertise needed will also vary based upon the industry and your organisation’s complexity. A Data Protection Officer (DPO) for a hotel may not need the same level of expertise nor skills as a DPO for a financial services firm co-regulated by their financial regulator and a data protection regulator. Managing growing complexity is a common theme in our own work, both in reconciling core data protection law between multiple jurisdictions and also navigating potential conflicts between privacy, financial regulation, freedom of information, government access to data and a myriad of other rules.
The question here is, if there are limited experts locally, does an organisation want to compete for scarce (and therefore expensive) in-house privacy resources? If there simply are not enough privacy experts in a local market, buying privacy capacity in the short term may be the only option. This is also a great way of fostering knowledge transfer and helping to build or supplement in-house expertise.
3. Cost
Cost and budgets will always be key considerations when a decision like this is being contemplated. What does local privacy talent cost? In some instances, local privacy talent may be so scarce that buying privacy capacity in the form of consultants can make sense for a period of time. In the Middle East, for example, enticing experts to move with relocation packages may be one option of building privacy capacity, but generally this is the most expensive and least durable model for building in-house privacy capability.
It is also important to think of cost not just in salary and benefit terms, but also in terms of building privacy capabilities over time. To that end, what is the opportunity cost of having an open and unfilled privacy vacancy for six months or longer when a consultant could start the following week?
4. Value for Money
If in-house privacy talent is going to be expensive to recruit/ build, consider whether buying privacy talent - especially if it can be sourced out of other markets - may be a more cost-effective option? This is especially relevant when outsourcing across borders and time zones, allowing an organisation to obtain higher calibre expertise potentially for a lower cost.
At some point, senior stakeholders will ask whether they are getting value for money with respect to the privacy budget? If it has taken months to upskill and cross-train an internal team, the response will be decidedly different to the one for those that hired an external team to implement a privacy framework and began quickly delivering on it.
5. Organisational Structure
If your organisation has even some of the governance building blocks in place such as a Risk Committee, or a third-party risk management framework/ review structure, it may be significantly easier to promote someone into a privacy role from within. After all, governance processes should have exposed key decision makers to a wider set of risks, including data privacy. Equally, if essential foundational elements of a privacy programme are lacking, buying outside help to quickly remediate and build a privacy programme could bring extended benefits to your organisation.
Whether you organisation works in a single country, or if it is a federated business model across dozens of countries, will determine the number of privacy experts and their expertise needed to respond effectively to privacy regulation. Generally, a centralised privacy programme can be run more effectively, provided it is nimble enough to meet all local legislative requirements.
Finally, it is important to note that these decisions are not exclusive. You can buy privacy capabilities to help you build up in-house resources over time. You can start with a small number of key in-house privacy hires, buy privacy expertise for a set period of time to turbo charge the programme’s effectiveness and then transition to a steady state in-house model.
You can insource the Data Protection Office function, while outsourcing the privacy by design and AI governance tasks. Securys is best placed to assist your organisation by keeping abreast of changes in privacy and AI legislation and developments, and with AI. Ultimately, an organisation's choice depends upon its unique circumstances, industry, and strategic goals. In short, what is right for your organisation in a buy-versus-build context will depend on the above five considerations, plus an assessment of where your organisation already does well versus where it may need help (either short or long term) in building a privacy programme.
The following five factors are key considerations any company in developing markets should include in their thinking with respect to building or buying data privacy capabilities:
1. Timing
Perhaps most crucial, how much time does your organisation have as lead time before a new or amended data protection law or even a regulator 'goes live'? With more than a year, your organisation has the luxury of looking for both internal and external hires and creating a training plan to upskill in-house talent if needed. Building can be a very attractive and sustainable way over time to develop privacy capabilities.
If, however, your organisation has less than a year to adapt to a new data protection law or a regulator, you will struggle, timing wise, to get a functioning privacy programme, including hiring and training people, to an effective standard. If this is the case, buying privacy capacity through consultants may make more sense in the short term to ensure compliance and to operate as an effective stop gap while determining what privacy functions can be brought in-house versus outsourced.
2. Expertise
Are there sufficient qualified and experienced privacy experts locally? If not, are secondments with privacy experience an option? Barring these options, is there a large local talent pool of related experts such as lawyers or information security consultants interested in upskilling their expertise into privacy over time?
The level of expertise needed will also vary based upon the industry and your organisation’s complexity. A Data Protection Officer (DPO) for a hotel may not need the same level of expertise nor skills as a DPO for a financial services firm co-regulated by their financial regulator and a data protection regulator. Managing growing complexity is a common theme in our own work, both in reconciling core data protection law between multiple jurisdictions and also navigating potential conflicts between privacy, financial regulation, freedom of information, government access to data and a myriad of other rules.
The question here is, if there are limited experts locally, does an organisation want to compete for scarce (and therefore expensive) in-house privacy resources? If there simply are not enough privacy experts in a local market, buying privacy capacity in the short term may be the only option. This is also a great way of fostering knowledge transfer and helping to build or supplement in-house expertise.
3. Cost
Cost and budgets will always be key considerations when a decision like this is being contemplated. What does local privacy talent cost? In some instances, local privacy talent may be so scarce that buying privacy capacity in the form of consultants can make sense for a period of time. In the Middle East, for example, enticing experts to move with relocation packages may be one option of building privacy capacity, but generally this is the most expensive and least durable model for building in-house privacy capability.
It is also important to think of cost not just in salary and benefit terms, but also in terms of building privacy capabilities over time. To that end, what is the opportunity cost of having an open and unfilled privacy vacancy for six months or longer when a consultant could start the following week?
4. Value for Money
If in-house privacy talent is going to be expensive to recruit/ build, consider whether buying privacy talent - especially if it can be sourced out of other markets - may be a more cost-effective option? This is especially relevant when outsourcing across borders and time zones, allowing an organisation to obtain higher calibre expertise potentially for a lower cost.
At some point, senior stakeholders will ask whether they are getting value for money with respect to the privacy budget? If it has taken months to upskill and cross-train an internal team, the response will be decidedly different to the one for those that hired an external team to implement a privacy framework and began quickly delivering on it.
5. Organisational Structure
If your organisation has even some of the governance building blocks in place such as a Risk Committee, or a third-party risk management framework/ review structure, it may be significantly easier to promote someone into a privacy role from within. After all, governance processes should have exposed key decision makers to a wider set of risks, including data privacy. Equally, if essential foundational elements of a privacy programme are lacking, buying outside help to quickly remediate and build a privacy programme could bring extended benefits to your organisation.
Whether you organisation works in a single country, or if it is a federated business model across dozens of countries, will determine the number of privacy experts and their expertise needed to respond effectively to privacy regulation. Generally, a centralised privacy programme can be run more effectively, provided it is nimble enough to meet all local legislative requirements.
Finally, it is important to note that these decisions are not exclusive. You can buy privacy capabilities to help you build up in-house resources over time. You can start with a small number of key in-house privacy hires, buy privacy expertise for a set period of time to turbo charge the programme’s effectiveness and then transition to a steady state in-house model.
You can insource the Data Protection Office function, while outsourcing the privacy by design and AI governance tasks. Securys is best placed to assist your organisation by keeping abreast of changes in privacy and AI legislation and developments, and with AI. Ultimately, an organisation's choice depends upon its unique circumstances, industry, and strategic goals. In short, what is right for your organisation in a buy-versus-build context will depend on the above five considerations, plus an assessment of where your organisation already does well versus where it may need help (either short or long term) in building a privacy programme.