Newport Thomson

Our analysis of Cisco’s 2025 Data Privacy Benchmark Study revealing the complex interplay between localization demands, regulatory trust, and AI governance

In an era where data flows as freely as commerce itself, organizations face a peculiar contradiction: they want their data close to home, yet they trust global providers more than local ones. This paradox, revealed in Cisco’s latest Data Privacy Benchmark Study, offers a window into how businesses are navigating the increasingly complex landscape of data privacy in 2025.

The Localization Paradox: Safety in Proximity, Trust in Scale

The study, which surveyed over 2,600 security and privacy professionals across 12 countries in fall 2024, uncovered a striking duality in organizational thinking. An overwhelming 90% of respondents believe that data stored locally, within their own country’s borders, is inherently safer. This perception drives real financial decisions: 88% acknowledge that data localization adds significant cost to operations, up from 85% the previous year.

Yet here’s where it gets interesting: 91% of these same respondents believe that global providers are better equipped to protect their data than local providers serving specific countries or regions. This figure represents a five-percentage-point increase from 2023, suggesting growing confidence in multinational organizations’ security capabilities.

This apparent contradiction actually makes perfect sense in today’s digital economy. As Harvey Jang, Cisco’s Vice President and Chief Privacy Officer, notes in the report, “Privacy is core to trust and a competitive differentiator in today’s digital economy.” Organizations aren’t choosing between local storage and global expertise. They’re demanding both. The rise of multinational providers offering in-region data storage capabilities allows businesses to satisfy data residency requirements while leveraging the robust security infrastructure that only global scale can provide.

Interestingly, this preference for global providers remains remarkably consistent across geographies, ranging from 85% in Spain to 95% in France and Mexico, suggesting that trust in global security capabilities transcends local regulatory differences.

The Regulatory Trust Engine

While compliance requirements often drive initial privacy investments, the study reveals that organizations increasingly view regulation not as a burden but as a trust-building tool. In 2024, 86% of respondents reported that privacy laws have had a positive impact on their organizations, up from 80% in the previous year’s study.

This positive sentiment holds across most surveyed countries, with particularly strong support in Japan (95%), China (94%), and India (94%). Even in markets with longer privacy law traditions, support remains robust: 88% in the UK, 85% in France, and 87% in the US.

The trust-building power of regulation becomes even clearer when we examine consumer perspectives. For the first time since Cisco began tracking consumer privacy awareness in 2019, a majority of global consumers (53%) report being aware of their country’s privacy laws. This awareness correlates directly with confidence: among consumers aware of privacy laws, 81% say they can protect their personal data, compared to just 44% among those unaware of such laws.

This creates a virtuous cycle: regulations drive organizational investment in privacy, which builds consumer trust, which in turn creates business value that justifies further investment.

The ROI of Trust: Quantifying Privacy’s Value

Perhaps the most compelling finding is that privacy investments are delivering measurable returns. An impressive 96% of respondents report that the benefits from privacy investment outweigh the costs. The median return on investment sits at 1.6x, with 53% of organizations reporting returns between 1x and 2x.

Privacy investment has remained remarkably consistent over the past four years, averaging $2.7 million across surveyed organizations. Larger organizations continue to increase their investments year over year, while smaller companies (50-249 employees) have reduced spending, possibly reflecting resource constraints or different risk profiles.

But what exactly are organizations getting for their money? The benefits extend far beyond mere compliance:

• 79% report enhanced customer loyalty and trust
• 78% cite improved operational efficiency
• 78% note their organization has become more attractive to stakeholders
• 78% see mitigation of security losses
• 76% experience reduced sales delays
• 75% report increased agility and innovation

Notably, the percentage of respondents indicating that privacy investments make their organization more attractive increased from 75% to 78% year over year. This aligns with consumer behaviour: the 2024 Consumer Privacy Survey found that 75% of consumers will not purchase from a provider they don’t trust with their data.

External privacy certifications continue to matter immensely, with 99% of respondents emphasizing their importance when choosing vendors. Organizations recognize that third-party validation serves as tangible proof of their data protection practices.

The GenAI Challenge: Familiarity Breeds Confidence (and Concerns)

As Generative AI rapidly integrates into business operations, organizations are grappling with new privacy challenges. Familiarity with GenAI has increased significantly, with 63% of respondents reporting they are “very familiar” with the technology in 2024, up from 55% in 2023. Those deriving “very significant value” from GenAI jumped from 37% to 48%.

Interestingly, as familiarity grows, some concerns are diminishing. Worries about GenAI hurting a company’s legal rights through copyright or intellectual property issues dropped from 69% in 2023 to 55% in 2024. Similarly, concerns about sensitive information leaks decreased from 68% to 64%.

This decline likely reflects improved governance and controls. As Dev Stahlkopf, Cisco’s Executive Vice President and Chief Legal Officer, observes: “For organizations working toward AI readiness, investing in privacy establishes essential groundwork, helping to accelerate effective AI governance.”

However, risk hasn’t disappeared, it’s simply being better managed. Nearly half of respondents still report inputting personal employee information or non-public company information into GenAI tools, with 60% entering information about internal processes and 63% inputting public company information.

The role of regulation remains critical even in the AI context: 90% of respondents agree that strong privacy laws make customers more comfortable sharing their data with GenAI applications. Privacy laws mandate the transparency, fairness, and accountability that allow individuals to engage with GenAI technologies with greater confidence.

The Resource Reallocation Reality

As organizations race to implement AI, they face difficult budget decisions. Cisco’s 2024 AI Readiness Index found that 98% of organizations felt increased urgency to invest in AI, yet only 13% felt ready to leverage the technology to its full potential.

Against this backdrop, 99% of Data Privacy Benchmark Study respondents expect resources to be reallocated from privacy budgets to AI budgets in the coming year. This near-unanimous expectation raises important questions about maintaining the privacy foundations that have taken years to build.

The good news is that organizations recognize the benefits of AI governance. More than three-quarters report moderate or significant benefits in product quality, employee relations, achievement of corporate values, preparation for regulation, and stakeholder trust. The challenge lies in ensuring that AI governance builds upon, rather than undermines, existing privacy investments.

Navigating the Data Localization Maze

The study also highlights the practical challenges of operating in a fragmented regulatory landscape. According to the OECD, more than 100 data localization requirements exist across 40 countries. This complexity forces organizations to navigate a patchwork of regulations while maintaining efficient global operations.

Interestingly, 85% of respondents agree that “Data Free Flow with Trust”, an initiative supported by the G20 and OECD to make national data governance systems interoperable while prohibiting strict data localization, could boost economic growth. This suggests a strong appetite for frameworks that enable secure cross-border data flows while respecting sovereignty concerns.

Five Strategic Recommendations

Based on these findings, organizations should consider the following strategic imperatives:

1. Develop a Comprehensive Localization Strategy
Create a compliance approach that effectively navigates data localization regulations and transfer mechanisms across geographies. Don’t view local storage and global providers as mutually exclusive, seek solutions that deliver both.

2. Embrace Regulation as a Competitive Advantage
Rather than treating privacy laws as mere compliance exercises, leverage them as trust-building tools. The growing public awareness of privacy regulations creates opportunities for organizations that can demonstrate robust compliance. Remember, consumers must trust a brand in order to purchase their products & services.

3. Measure and Communicate Privacy’s Business Value
Look beyond compliance metrics to track how privacy investments drive agility, innovation, speed to market, and operational efficiency. These business dividends help justify continued investment and secure executive support.

4. Deploy AI with Privacy-First Governance
Implement governance frameworks and controls that respect privacy and manage unintended consequences before scaling AI deployments. The familiarity and comfort your organization has built with GenAI should be matched by equally sophisticated risk management.

5. Protect Privacy Foundations Amid Budget Shifts
As resources inevitably shift toward AI initiatives, ensure that AI investments continue to support, not cannibalize, the underlying privacy and security foundations that require ongoing resources. Privacy isn’t a one-time achievement; it’s an ongoing operational requirement.

Conclusion: Privacy as Competitive Imperative

The Cisco 2025 Data Privacy Benchmark Study paints a picture of organizations that have moved beyond viewing privacy as a compliance checkbox. They recognize it as a fundamental business enabler, one that builds customer trust, enables global operations, and creates competitive differentiation.

As GenAI reshapes the digital landscape, the organizations that succeed will be those that treat privacy not as a constraint on innovation but as a foundation for it. They’ll recognize that the same principles that build trust in data handling such as transparency, accountability, and user control, are equally essential for trustworthy AI.

The paradoxes revealed in this study, demanding both local storage and global expertise, viewing regulation as both costly and valuable, reallocating budgets while recognizing privacy’s ROI, reflect the complex reality of operating in today’s digital economy. Organizations that can navigate these tensions, balancing competing demands while maintaining focus on customer trust, will be best positioned for sustainable success.

In an era where 75% of consumers won’t buy from providers they don’t trust with their data, privacy isn’t just good ethics, it’s essential business strategy.

This analysis is based on the Cisco 2025 Data Privacy Benchmark Study, which surveyed 2,600+ security and privacy professionals across Australia, Brazil, China, France, Germany, India, Italy, Japan, Mexico, Spain, the United Kingdom, and the United States in fall 2024.