Global privacy advisory market topping $3B

How much do companies around the world spend each year on data privacy services to fix the problems we read about in the headlines every day? Nobody as far as I can tell has published an answer to this question. So this month I set out to pull together the best available data points on the market.

What did I find out?

The first discovery was that you need to define what you're estimating. Because no one before Computerworld has sized up the privacy sector, that task falls to us.

Defining the market

For starters, I think three segments comprise the sector: privacy advisory services, privacy operations and security of personal information.

  • The privacy advisory market includes what law firms and consultancies do: help organizations identify their privacy risk and compliance gaps, build their privacy programs and defend against privacy legal claims.
  • The privacy operations market includes what software and managed services firms do to help govern a privacy program: governance risk and compliance software; subscriptions for privacy training, news and information; privacy seals; and platforms for harmonizing privacy opt-ins and opt-outs.
  • The personal-data security market includes the tools and technologies used to protect the confidentiality of personally identifiable information (PII), such as encryption, masking and content scanning.

All three subsectors are related, but different providers serve each one and they're at different stages of maturity and market-data availability. Among them, the privacy advisory market offers the best data, so that's where I focused this estimate.

Getting to the numbers

There are at least three ways you can size up the dollars in the privacy advisory market:

  • The tally method. Add up the number of privacy lawyers and consultants via LinkedIn, firm websites and the directory of the International Association of Privacy Professionals (IAPP) -- and make assumptions about average rate-per-hour and billed hours per year;
  • The survey method. Survey the buyers for what they're spending each year on these services; or
  • The market-share method. Use the known revenues of a leading provider or two, and use market-share assumptions from market activity to extrapolate a full-market estimate.

In my March 2006 column, I only used the first method and put the U.S. privacy consulting market at $400 million. It was a sufficient and reliable method back then because the pool of providers was limited and knowable. This time, now that I have access to more information in my new role, I used all three methods. And, what a relief. They all pointed to the same ballpark number: $3 billion.

Here are some key assumptions and interesting factoids:

  • Roughly 85% of the global revenues originate from the U.S. market, a share that is poised to decline as Europe nears completion of its massive privacy-law overhaul and European spending increases.
  • Legal services account for two-thirds of the total, a portion that also appears to be declining as companies increasingly operationalize their privacy legal advice.
  • Market share is highly dispersed across large firms, boutiques and independent consultants, with no single firm capturing more than 5% of the global pie.

Market outlook

Today's privacy advisory market looks like the information security market did 10 years ago as the Payment Card Industry Data Security Standard and mandatory data-breach notification was coming full swing. And where is that market heading today? Last month, Gartner projected that spending on information security vendors will hit $101 billion by 2018, at least a quadrupling over the past decade.

Several indicators point to privacy following the same meteoric rise as security:

  • 2014 saw record-high levels of global privacy enforcement levels, and it's just getting going. The European Union is on the verge of updating its privacy law to include a new fine capacity of up to 5% of global revenues;
  • Digital disruption -- namely, big data, the internet of things, mobile apps, cloud computing and augmented reality -- is picking up steam with no easy privacy solution in sight;
  • State-sponsored and organized crime continue an unabated string of spectacular breaches of personal data; and
  • Business models in nearly every industry continue to transform toward more intensive uses of personal data for competitive advantage.

If the $3 billion estimate is in the ballpark, and it's true there's no one dominant market leader, an upcoming wave of corporate spending is totally up for grabs.

Jay Cline leads the data privacy practice at PricewaterhouseCoopers LLP.

Join the CSO newsletter!

Error: Please check your email address.

Tags securitycomputerworldbecadata protection

More about GartnerPricewaterhouseCoopers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jay Cline

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts