Cyber security
Save

Corporate Data Privacy: Time To Grow Up

by Dan Currell

Eavesdrop on company conversations anywhere from a meeting with the audit committee to front-line managers at the proverbial water cooler, and you will realize that data privacy has risen to the top of business agendas.

Given 43% of companies know they experienced a data breach in the past year, in-house lawyers and others who handle privacy dealings are under pressure to safeguard their companies from angry customers, investors, lawmakers, and suppliers.

Since breaches are hard to uncover, it’s safe to say that the other 57% of companies can’t be certain they haven’t experienced a data breach. And with 2014‘s headlines acting as a reliable guide to next year’s, in the face of a confused corporate response it’s likely those breaches (and headlines) will keep coming.

Maturity Required

One bright light among the doom and gloom, however, is that the severity and velocity of the risks will hopefully be enough to convince corporate privacy programs to mature.

This is a good thing, as there’s a lot of maturing to do. While the emerging data privacy function is hard-working, it is in need of resources, clarity, and leadership.

Most privacy programs have little structure and an ad hoc approach to allocating resources. For instance, 75% of companies that employ a dedicated head of privacy do not have a privacy budget, and tend to throw money reactively at each isolated issue that arises.

When CEB looked at who owned privacy activities across numerous companies, up to 11 different departments were listed as primary owners for each activity among the respondents. How can this be?

This is not a sign of a mature corporate function. When a company experiences established legal issues (a good proxy for the type of issues a data privacy function would handle) ownership isn’t spread out among a half-dozen or more departments. But alarmingly for privacy, every activity seems to be up for grabs.

In certain cases it can make sense for business issues to be co-owned, but this type of approach leads to zero accountability. Companies can only survive this way for so long because eventually there will be a compliance failure that forces the organization to mature once and for all.

It’s not surprising to learn that the majority (75%) of chief privacy officers (CPOs) are unsatisfied or doubtful about their programs.

One cause for optimism though is the sizeable surge of progressive companies committed to implementing privacy infrastructure: clear roles and responsibilities, pronounced budgets, established org structures, improved training, and privacy principles embedded in workflows and product design.

A Data Privacy Agenda for 2015

But there are further challenges ahead. CEB sees four issues that will make managing a firm’s data privacy program hard work in 2015 and beyond.

Growth of “business-led IT”: Decision-making and spending on technology is distributed across business units more now than ever before. This means IT systems are often hosted by vendors. Third-parties are a notorious cause of privacy breaches, but most companies have a limited understanding of the privacy implications.

Constantly evolving threats: Over two-thirds (69%) of executives surveyed believe their companies can’t keep up with the increasing pace and sophistication of cyber-attacks. The effort required to keep up with these changing threats prevents many companies from maturing their privacy programs.

Increase in the strategic value of information: The need to use customer and other sensitive data to establish and sustain any kind of competitive advantage (or market niche) grows every year, and will continue to do so.

Changing employee workflow: Employees access data, collaborate on tasks, and share information in more ways than ever before. This pushes sensitive data into places where it’s hard for even mature privacy programs to safeguard.

While these issues will persist for years to come, CEB research shows leading privacy programs find solutions. Leading privacy teams consistently take the following actions:

  • Integrate privacy into product development
  • Create easy to find and apply privacy policies
  • Build and monitor a privacy-conscious company culture
  • Clearly assign regulatory tracking and update responsibilities
  • Collaborate with others to create a holistic IT strategy
  • Create and rehearse a privacy breach-response protocol
  • Design a third-party privacy diligence and monitoring regime
  • Measure the privacy program’s effectiveness 

The complete list is much longer; however the only way to get out of the current “crisis mode” is to build a system that prevents issues and handles the ones that arise effectively.

 

Republished with permission from CEB Global Blogs. For more, visit CEBGlobal.com.

MORE ARTICLES

Board composition +
Refreshing Your Board of Directors
Patrick R. Dailey, Ph.D. and Joel M. Koblentz
Battle For the Boardroom
Ludo Van der Heyden and Chris Howells
Night of the Living Board
Matt Palmquist
Strategy & innovation +
The "Third Team" Approach to Board Effectiveness
Denis Mowbray and Coral Ingley (both from Auckland University of Technology)
Tapping The Strategic Potential of Boards
Chinta Bhagat, Martin Hirt, and Conor Kehoe
Board supervision +
Best Practices: Non Profit Governance
McDermott Will & Emery
Value-Focused Corporate Governance
Christian Orglmeister, Marcos Aguiar, and Daniel Azevedo
The Trouble With Too Much Board Oversight
Olubunmi Faleye, Rani Hoitash and Udi Hoitash
Culture +
Team building +
Collaborate Better
Leigh Thompson
Five Things Every CEO Must Do in the Next Era of Globalization
Hans-Paul Bürkner, Arindam Bhattacharya, and Jorge Becerra
Outgoing CEOs Shouldn't Pick Their Replacements
David F. Larcker, Stephen A. Miles, and Brian Tayan
Compliance +
Leadership +
Risk management +
Exec. evaluation & comp +
Surviving the Sophomore Slump: Moves That Matter The Most
Roselinde Torres, Judy Johnson, James M. Citrin, and Susan S. Hart
Leapfrog Succession: Trend in Appointing CEOs
Roselinde Torres, Gerry Hansell, Kaye Foster, and David Baron
Cyber security +
Why Senior Leaders Are On The Front Line Against Cyberattacks
Tucker Bailey, James Kaplan, and Chris Rezek
Are You In the Dark about Shadow IT?
Ryan Shadle and Brian Turley
Corporate Governance in the Age of Cyber Risks
In collaboration with RANE (Risk Assistance Network and Exchange)
The Board’s Role in Managing Cybersecurity Risks
Ray A. Rothrock, James Kaplan, and Friso Van Der Oord
Featured +
Planning Ahead – The Board’s Role in Crisis Management
M. Hill Jeffries, Kyle G. Healy, Marshall M. Chalmers
Agitators and Reformers: How to Respond to Activist Investors
Josh Hinkel, Henrik Poppe, Martin Toner and Chuck Whitten

Your library is currently empty. Browse the Boardspan Library to get started.