Boardspan Library

Corporate Data Privacy: Time To Grow Up

by Dan Currell


Eavesdrop on company conversations anywhere from a meeting with the audit committee to front-line managers at the proverbial water cooler, and you will realize that data privacy has risen to the top of business agendas.

Given 43% of companies know they experienced a data breach in the past year, in-house lawyers and others who handle privacy dealings are under pressure to safeguard their companies from angry customers, investors, lawmakers, and suppliers.

Since breaches are hard to uncover, it’s safe to say that the other 57% of companies can’t be certain they haven’t experienced a data breach. And with 2014‘s headlines acting as a reliable guide to next year’s, in the face of a confused corporate response it’s likely those breaches (and headlines) will keep coming.

Maturity Required

One bright light among the doom and gloom, however, is that the severity and velocity of the risks will hopefully be enough to convince corporate privacy programs to mature.

This is a good thing, as there’s a lot of maturing to do. While the emerging data privacy function is hard-working, it is in need of resources, clarity, and leadership.

Most privacy programs have little structure and an ad hoc approach to allocating resources. For instance, 75% of companies that employ a dedicated head of privacy do not have a privacy budget, and tend to throw money reactively at each isolated issue that arises.

When CEB looked at who owned privacy activities across numerous companies, up to 11 different departments were listed as primary owners for each activity among the respondents. How can this be?

This is not a sign of a mature corporate function. When a company experiences established legal issues (a good proxy for the type of issues a data privacy function would handle) ownership isn’t spread out among a half-dozen or more departments. But alarmingly for privacy, every activity seems to be up for grabs.

In certain cases it can make sense for business issues to be co-owned, but this type of approach leads to zero accountability. Companies can only survive this way for so long because eventually there will be a compliance failure that forces the organization to mature once and for all.

It’s not surprising to learn that the majority (75%) of chief privacy officers (CPOs) are unsatisfied or doubtful about their programs.

One cause for optimism though is the sizeable surge of progressive companies committed to implementing privacy infrastructure: clear roles and responsibilities, pronounced budgets, established org structures, improved training, and privacy principles embedded in workflows and product design.

A Data Privacy Agenda for 2015

But there are further challenges ahead. CEB sees four issues that will make managing a firm’s data privacy program hard work in 2015 and beyond.

Growth of “business-led IT”: Decision-making and spending on technology is distributed across business units more now than ever before. This means IT systems are often hosted by vendors. Third-parties are a notorious cause of privacy breaches, but most companies have a limited understanding of the privacy implications.

Constantly evolving threats: Over two-thirds (69%) of executives surveyed believe their companies can’t keep up with the increasing pace and sophistication of cyber-attacks. The effort required to keep up with these changing threats prevents many companies from maturing their privacy programs.

Increase in the strategic value of information: The need to use customer and other sensitive data to establish and sustain any kind of competitive advantage (or market niche) grows every year, and will continue to do so.

Changing employee workflow: Employees access data, collaborate on tasks, and share information in more ways than ever before. This pushes sensitive data into places where it’s hard for even mature privacy programs to safeguard.

While these issues will persist for years to come, CEB research shows leading privacy programs find solutions. Leading privacy teams consistently take the following actions:

  • Integrate privacy into product development
  • Create easy to find and apply privacy policies
  • Build and monitor a privacy-conscious company culture
  • Clearly assign regulatory tracking and update responsibilities
  • Collaborate with others to create a holistic IT strategy
  • Create and rehearse a privacy breach-response protocol
  • Design a third-party privacy diligence and monitoring regime
  • Measure the privacy program’s effectiveness 

The complete list is much longer; however the only way to get out of the current “crisis mode” is to build a system that prevents issues and handles the ones that arise effectively.

--

Republished with permission from CEB Global Blogs. For more, visit CEBGlobal.com.

More on Risk