Newport Thomson

Let’s start with something most people in a boardroom won’t say out loud.

A company spends money on the things that make money. That’s not a flaw, that’s the job. Executives get paid, in large part, on profit. Stock goes up, bonuses go up. So when a leader is deciding where the next dollar goes, they are quietly asking one question: Will this dollar come back with friends?

Privacy and data protection have a hard time answering that question with a clear yes. So the dollar goes somewhere else.

That’s the uncomfortable truth underneath every “we’ll get to it next quarter.” It isn’t that executives are reckless or don’t care. It’s that the scoreboard they’re judged on doesn’t have a column for “didn’t get sued” or “didn’t get investigated by the authorities” Those wins are invisible. And invisible wins don’t show up in a compensation review.

I read a thoughtful piece in the IAPP recently asking why it’s still so hard to get corporate buy-in for privacy compliance, even with enforcement ramping up and AI pouring fuel on the fire. It noted that privacy compliance still doesn’t get the same boardroom urgency as anti-money-laundering rules or antitrust enforcement. The article is right about the symptoms. I want to talk about the disease. iapp

Why privacy loses the budget fight

Picture two people walking into the CFO’s office on the same morning.

The first one says: “Give me $200,000 and I’ll bring in $600,000 in new sales.” Easy yes.

The second one says: “Give me $200,000 and… nothing bad will happen. Probably. Eventually. Maybe. I can’t tell you exactly what or when.”

You already know who wins that meeting. And here’s the part privacy people hate to admit – the CFO isn’t wrong to hesitate. The second pitch is a bad pitch. It asks for real money and offers a fuzzy promise in return.

So privacy gets treated like buying insurance for a house fire nobody in the neighbourhood has had yet. As I like to say, not my circus, not my monkey, and that’s exactly the trap. Every department looks at privacy and decides it belongs to someone else. Privacy overlaps with security, marketing, IT, HR and legal, and when ownership is unclear, accountability spreads out so thin that nothing actually moves. Everyone assumes it’s another department’s monkey. So the monkey just sits there. iapp

A few other things make it worse, and the IAPP piece named them well:

It’s genuinely hard to explain. You’re not dealing with one law, you’re dealing with dozens of overlapping, sometimes contradictory rules across different places, and that’s tough to squeeze into a three-minute pitch for a CEO. Antitrust has bright lines. Privacy has a moving target. iapp This can be overcome working with professionals who know how to select the highest bar (likely GDPR) and then add isolated elements to comply with regional laws. (i.e. add a Do Not Sell My Data button to the website to satisfy CPRA).

There’s no obvious boogeyman. Unlike sanctions violations where the penalties are huge and well-publicized, privacy enforcement has been more scattered across different regulators and legal theories, which makes leadership say “show me the company in our space that got hit”, and that’s a hard question to answer with one tidy example. iapp

And the most dangerous line of all: if nobody in your industry has been sued or fined, there’s an assumption that the current approach must be good enough. But here’s the thing, your competitor not getting caught doesn’t mean their practices are compliant. It just means the bill hasn’t arrived. As I often say, No good picking up speed if you’re on the wrong road. A whole industry can be speeding down the wrong road together and feeling great about the pace. iappiapp

Why “it costs shareholders money” is only half the math

Here’s where I want to push back on the very assumption I opened with.

Yes, a dollar spent on privacy is a dollar that doesn’t show up as profit this quarter. That part is real. But that’s a half-finished sentence, and executives are smart enough to know it. The other half is this: a privacy failure doesn’t just cost you a fine. It costs you the thing that’s actually hardest to rebuild – consumer and stakeholder trust. And trust is not a soft, fuzzy word. 

Trust is a balance-sheet item that just hasn’t been invoiced yet.

Think about it the way you’d think about a customer relationship. You don’t earn someone’s business once. You earn it, and then you keep earning it, and the keeping is where the profit lives. Profit is a function of doing business well. Privacy-compliant data practices build trust, trust builds lifetime customer relationships, and trust is what makes a consumer pick you over a competitor. “Less creepy” is a real brand advantage now, whether or not it ever shows up in a strategy deck. iapp

And there’s a part most executives miss entirely. They think privacy compliance means doing less with data, fewer emails, fewer cookies, smaller lists, less reach. It’s actually the opposite. When you’re compliant, you can collect more data and do more with it, because you have the consent and the governance framework to support it. Compliance isn’t the brakes. It’s the licence to drive. But it must be built, not bought or rented.  iapp

If you sell to other businesses, it’s even more direct. Your customers’ own privacy programs are maturing, and they’re increasingly unwilling to buy from vendors who can’t show real data protection, which makes privacy compliance a sales enabler, not just a legal check-box. I’ve watched deals stall on exactly this. The privacy questionnaire is now part of the sale. If you can’t answer it, you’re not in the running, and nobody even tells you why. iapp

And if you ever want to sell the company or raise money? Investors and acquirers look at privacy posture during due diligence, so a weak program is a deal risk, and a strong one is a value driver. So the same executive who skipped privacy to protect shareholder value may be quietly destroying shareholder value on the day it matters most. iapp

So when someone says “privacy decreases shareholder profit,” my answer is: you’ve measured the cost and forgotten to measure the bill you’re running up. You can’t force a number to look good by ignoring the risk piling up behind it. Make the upside real and visible and it moves. Pretend the risk isn’t there, and nothing happens.

How to actually win the meeting

If you’re the person trying to get privacy taken seriously, complaining that leadership “doesn’t get it” is a dead end. The job is to make them get it. A few things genuinely work:

Speak the language of the person across the table. The pitch to the CEO is not the same as the pitch to the chief marketing officer or the board – for some people it’s about personal risk, for others it’s about value, and for others it’s about brand and market position. One script for every audience is one script that fails three times. iapp

Make the personal risk real. Abstract regulatory risk gets nodded at and ignored. The threat of personal liability gets attention in a way abstract risk does not, and once a regulator looks under the hood, everything is on the table. Executives will sit up for a risk that has their name on it.The Quebec Law 25 clearly places the Highest authority in the company accountable for the proper collection and use of personal data by anyone in the company. That’s a game-changer.  iapp

Make the abstract concrete. Privacy risk feels abstract, so make it tangible. Benchmark your program against peers and track what’s actually happening with enforcement and litigation in your specific sector. “Three companies that look just like us got demand letters this year” beats “the landscape is evolving” every single time. iapp

And don’t cry wolf. This is the one privacy people break most often. Nothing kills credibility faster than overstating the risk. Flag every development as a five-alarm fire and leadership will tune you out. Be the calm, credible voice. Save your loud “no” for the things that genuinely deserve it, and people will actually listen when you use it. iapp

The bottom line

The honest reason privacy keeps losing the budget fight is that it’s been pitched as a cost with an invisible payoff, and a quarter-by-quarter scoreboard will lose that fight every time.

So stop pitching it that way.

Privacy isn’t the thing you do instead of growth. Done right, it’s the foundation growth stands on. The consent that lets you market, the trust that keeps customers, the clean answer that closes the B2B deal, the strong posture that protects the company’s value the day someone wants to buy it.

Buy-in isn’t a one-time pitch, it’s an ongoing campaign. The companies that figure this out won’t be the ones with the biggest compliance binder. They’ll be the ones that stopped treating privacy as a tax on profit and started treating it as the road the profit actually travels on. iapp

Remember, the best time to plant a tree was 25 years ago. The second best is NOW.