Securing Executive Buy-In For Your Privacy Program

Recent research paints a picture of the Australian privacy landscape where undersized and underfunded teams are struggling with increasing complexity. Australian privacy teams, for instance, are smaller than those in North America, Europe, and Asia. And despite increasing compliance requirements in Australia, it seems that the size of privacy teams has stabilised (according to the 2024 Privacy Governance Report and Privacy 108’s 2024 privacy job report which shows a very small increase in privacy job ads in 2024). 

In other words, executives in Australian organisations aren’t prioritising privacy – despite growing customer frustration with continued data breaches and harm caused by poor privacy hygiene and practices. And, based on 2025 research from security platform ISACA, it seems likely that privacy budgets may be cut this year (with 48% of respondents stating their privacy budget will decrease in the coming 12 months). So, in that context, how can you secure executive buy-in for your privacy program? 

The Strategic Business Value of Privacy

Leadership in most organisations is focused on growth and profitability in the short- and long-term. However, ISACA’s 2025 Report on the State of Privacy reveals that 42% of privacy professionals believe their board of directors view privacy as a compliance function. This is again consistent with our own research which shows that privacy jobs in Australia are increasingly being given a compliance function. Meanwhile, a minority of boards view privacy as a function that can be a competitive advantage. 

(We’ve said it before, but we think privacy is one of the most underutilised competitive advantages available to organisations in today’s business landscape.)

What this data tells us is that boards and executive leadership teams across the globe and in Australia are not adequately informed about the role and power of privacy. This provides an opportunity for privacy professionals to get buy-in from executives by framing privacy as having strategic business value. 

Here are some angles you could take to get buy-in through this framing:

1. Privacy can be a powerful differentiator. Encourage your executives to consider how companies like Apple and Porsche use privacy-functionality to build trust. 
2. Position privacy as an innovation-enabler. This is counter to the common narrative that privacy stifles innovation, so you will want to paint a fairly vivid picture of how privacy can prompt innovation in your organisation – or how competitors are already doing this. 
3. Demonstrate how more mature privacy programs would allow you to leverage and use data more effectively and more responsibly, how it can support clean, ‘usable’ data.
4. Detail how your organisation’s privacy practices will play a crucial role in organisational resilience and continuity. You can position privacy as something that prompted financial, operational, and reputational resilience – in line with Deloitte’s key criteria for organisational resilience.  
5. Develop strategic metrics or calculate the ROI of privacy or privacy training. This could look like comparing the cost of a human error data breach to the cost of privacy training, or (a more complex example) the benefit of faster market entry in jurisdictions with more stringent privacy laws with a more mature program. 

Communicating The Value of Privacy in an Engaging Way

The (harsh) reality is that the disconnect between your organisation’s executive and your privacy team is likely in part due to the way you communicate about privacy and long held misconceptions (e.g. privacy and security are the same thing). 

While Australian organisations should likely be investing more in privacy, it’s important to recognise that the executives have a range of priorities and mandates. As a result, your privacy team has to take some responsibility for the urgency or priority the executives give privacy programs.

We wrote a detailed guide to communicating about privacy issues within your organisation. In that highlighted some tips for communicating about privacy clearly and effectively, namely: 

• Tailor your message
• Time your communications
• Make it relevant. 

We also created this checklist as an accompaniment to that post. It’s relevant here too, so see that graphic for our framework: 

But in terms of communicating more effectively with the executives, we also suggest:

• Building cross-functional support for the suggested program. If you have stakeholders from multiple departments (often HR, legal, IT, and marketing), it demonstrates broader organisational support and can strengthen your position when seeking executive buy-in. 
• Create opportunities for executives to participate in privacy-related discussions, like workshops, training, or even involving them in a privacy impact assessment for a project from another department. 
• Highlight trends, especially around consumer expectations, to bolster your position. But be careful not to overly rely on statistics and data. Instead, make it part of a broader story.

If you’re able to tie your privacy program into broader business objectives and demonstrate an ROI and then you’re able to communicate the value of your program to your executives, you’re more likely to get buy-in from them.

Keen to get insights like this in your inbox? Subscribe to our newsletter to receive our bi-monthly mailout. It’s free and you can unsubscribe at any time.