The art and science of privacy and legal compliance risk management is a complex one, often requiring a menagerie of different skills, resources and creativity to achieve effective outcomes. Two key challenges loom for practitioners on a day-to-day basis:
- Getting enough stakeholder engagement to take necessary actions to achieve required outcomes, and
- Having the necessary resources to ensure the organisation is operating at tolerable risk thresholds.
The above can often come into conflict with the organizational culture, particularly where there is a strategic imperative for innovation and growth. AI initiatives for example usually involve extrapolation of a vast amount of data subject to regulatory mandates, to generate meaningful results. With increasingly complex legislative frameworks operating across the globe, the administrative burden has never been greater, relative to the available resources.
Getting a Bigger Piece of the Budget Pie
Privacy and legal compliance professionals should look across the table and ask why colleagues in cybersecurity (who have similar challenges) are doing a lot better. According to Gartner [1], a typical organization is increasing its spend on security at a rate of 8-12% per year. Privacy teams on the other hand are facing budget cuts, with more than half of privacy professionals expecting budget cuts in 2026 [2].
Anyone who has kept an eye on both industries will notice a stark difference between how the industries are reported or discussed in news articles - hinting at the underlying reason. Privacy (and regulatory updates) often discuss the nuances of changes to the regulatory mechanisms and/or provisions, with its impact often in relation to managing compliance within the bounds of such a change. Cybersecurity articles on the hand cite stats, stats and more stats - on everything from business budgets and industry segments, to investment category breakdowns.
The stark difference points to the laser focus cybersecurity professionals have on the business. In particular:
- How do we measure what we manage – through data driven business cases.
- How do we demonstrate the impact of non-compliance on the business – in dollars and cents.
It might be argued by privacy and legal compliance professionals that the latter is more complex on its end. The impact on the business for example is often indirect, as many legal frameworks require action to be taken by regulatory authorities, in the form of administrative fines or legal costs.
Irrespective of the above, it ultimately leads to two very different budget ask scenarios:
- We need $X to address ISSUE A. There is a high risk we will be non compliant with Y law.
- We need $X to address ISSUE A. Our modelling suggests it may cost the business $Y annually if we do not deal with it.
The former highlights a potential danger but also raises doubts in the mind of the corporate sponsor – what is the impact of a breach to the business? Even if a monetary penalty accompanies the ask, there remains the question of how remote the possibility of regulatory action is. The latter on the other hand implicitly demonstrates a deep understanding of business operations and how non-compliance has a direct nexus to the bottom line.
To get a bigger piece of the budget pie, privacy and legal compliance professionals must learn from the same playbook.
Legal Math
That is why we developed Legal Math – a data driven approach to directly model the potential costs to the business as a result of legal non-compliance, through specific action/inaction. It is based on the same principles used by cybersecurity industry [3].
Legal Math quantifies legal risk by breaking it down into measurable components – being the applicable legal provisions subject to non-compliance and past fines imposed by regulators for breaching that provision. This is augmented by organisational data inputs in relation to the nature of the risk being assessed and the rate of complaints that get referred to a regulatory agency each year. These data points help to generate an Annualised Expected Loss (AEL), representing how much loss (in dollars and cents) an organisation can expect to lose each year through specific business action/inaction.
A secondary loss multiplier is also generated to approximate potential loss as a result of penalties imposed through related provisions and/or legal actions. This is used to account for instances where:
- Authorities impose penalties for contravention of multiple provisions simultaneously, or
- There is potential for peripheral actions as a result of breaches of other provisions, due to an organisation’s risk profile.
The Calculation Challenge
Legal Math is perhaps one area where leveraging AI may be a necessity. The above process requires a combination of legal and mathematical modelling skills, as well as domain data collection. Specifically:
- Every issue assessed must be analysed against the applicable legal framework, to discern what provisions have been breached.
- Each breach then needs to be assessed against historical data on imposed penalties.
- This can then be used to calculate an accurate estimate of the Annualised Expected Loss, which often involves use of probability distribution sampling that takes into consideration different scenario loss expectations.
Needless to say, doing the above manually would take a significant amount of time, effort and resources.
Conclusion
To successfully do their jobs, privacy and legal compliance professionals need adequate budgets and resources. If it is not provided, hard self reflection may be required. Ineffective stakeholder engagement, due to an inadequate focus on direct business impact, may be at the heart of the problem. Using a data driven approach (such as legal math) can help stakeholders more intuitively understand how privacy and legal compliance functions/activities directly impact on the business bottom line.
[1] https://www.elisity.com/blog/2026-cybersecurity-budget-complete-enterprise-planning-guide#:~:text=What%20the%20Numbers%20Say:%20Global,to%20benchmark%20your%20own%20spend.
[2] https://idm.net.au/article/0015470-budget-cuts-hit-privacy-teams-hard#:~:text=The%20report%20found%20that%2029,data%20protection%22%20in%20job%20titles.
[3] Fair Analysis of Information Risk (FAIR)