Ahead of Data Privacy Day, only one-third of organizations find it easy to understand their privacy obligations, according to new ISACA research
Schaumburg, IL, USA —The past year saw new developments and updates to privacy regulations across the globe—from India’s Personal Data Protection Bill to Brazil’s General Data Protection Law. However, only 34 percent of organizations say they find it easy to understand their privacy obligations and only 43 percent are very or completely confident in their organization’s privacy team’s ability to ensure data privacy and achieve compliance with new privacy laws and regulations, according to ISACA’s Privacy in Practice 2024 survey report.
More than 1,300 professionals globally who work in data privacy roles responded to the survey, weighing in on privacy topics such as staffing, organization structure, policies, budgets and training.
Privacy Challenges
In addition to difficulty understanding the privacy regulatory landscape, organizations also face other data privacy challenges, including budget. Nearly half of respondents (43 percent) say their privacy budget is underfunded and only 36 percent say their budget is appropriately funded. When looking at the year ahead, only 24 percent say that they expect budget will increase (down 10 points from last year), and only one percent say it will remain the same (down 26 points from last year). Over half (51 percent) expect a decrease in budget, which is significantly higher than last year when only 12 percent expected a decrease in budget.
The path to forming a privacy program is not always a smooth one, either, with respondents indicating that the top obstacles include:
- Lack of competent resources (41 percent)
- Lack of clarity on the mandate, roles and responsibilities (39 percent)
- Lack of executive or business support (37 percent)
- Lack of visibility and influence within the organization (37 percent)
In seeking those competent resources, technical privacy positions are in highest demand, with 62 percent of respondents indicating there will be increased demand for technical privacy roles in the next year, compared to 55 percent for legal/compliance roles. However, respondents indicate there are skills gaps among these privacy professionals; they cite experience with different types of technologies and/or applications (63 percent) as the biggest one.
When looking at common privacy failures, respondents pinpointed the lack of or poor training (49 percent), not practicing privacy by design (44 percent) and data breaches (42 percent) as the main concerns.
“When privacy teams face limited budgets and skills gaps among their workforce, it can be even more difficult to stay on top of ever evolving and expanding data privacy regulations and even increase the risk of data breaches,” says Safia Kazi, ISACA principal, privacy professional practices. “By understanding where these challenges lie, organizations can take the necessary measures to remedy them and change course to strengthen their privacy teams and programs.”
Taking Action
One of the ways that organizations are mitigating both workforce gaps and privacy failures is through training. Half of respondents (50 percent) note they are training to allow non-privacy staff to move into privacy roles, while 39 percent are increasing usage of contract employees or outside consultants.
With employee training, 86 percent indicate their organization provides privacy awareness training for employees, with 66 percent providing training to all employees annually, and 52 percent of respondents providing privacy awareness training to new hires. Sixty percent of organizations review and revise privacy awareness training at least annually. Seventy-one percent believe that privacy training has had a strong or some positive impact privacy awareness in the organization. Interestingly, respondents note that their organizations are most often looking at the number of employees completing training (65 percent) as the main metric used to track effectiveness of privacy training, not a decrease in privacy incidents (56 percent).
Organizations are also taking action to strengthen data privacy by using a variety of privacy controls, with the top three being identity and access management (74 percent), encryption (73 percent), and data security (72 percent).
Despite the challenges faced, 63 percent of organizations say they did not have a material privacy breach in the past 12 months, and 18 percent are not seeing a change in the number of breaches they are experiencing. Respondents are also optimistic about the coming year: less than one in five (16 percent) say they expect a material privacy breach in the next 12 months.
To assess the effectiveness of privacy programs, survey respondents note their organizations are most often taking the approach of:
- Performing a privacy risk assessment (49 percent)
- Performing a privacy impact assessment (PIA) (44 percent)
- Performing a privacy self-assessment (38 percent)
- Undergoing a privacy audit/assessment (34 percent)
Value of Privacy by Design
One of the clearest takeaways from the survey results is that organizations that practice privacy by design experience some key advantages:
- They have more employees in privacy roles (median staff size 15 vs. nine among all respondents) and are more likely to say their technical privacy department is appropriately staffed (42 percent vs. 34 percent among all respondents).
- They strongly believe their board of directors prioritizes organization privacy (77 percent vs. 57 percent total).
- They are much less likely to see organizational privacy programs as purely compliance driven (35 percent vs. 44 percent total), and more likely as a combination of compliance, ethics and competitive advantage (39 percent vs. 29 percent total).
- They are much more likely to see their organization’s privacy strategy aligned with organizational objectives (90 percent vs. 74 percent total).
- They use many more privacy controls in total, overall, than are legally required:
- Data minimization and retention controls (54 percent vs. 39 percent among all respondents)
- Data quality and integrity (50 percent vs. 38 percent)
- Cryptographic protection (59 percent vs. 46 percent)
- Feel their privacy budget is appropriately funded (50% vs. 36% total)
Ultimately, organizations that always practice privacy by design are also much more likely to be very or completely confident in their organization’s privacy team’s ability to ensure data privacy and achieve compliance with new privacy laws and regulations (71 percent versus 43 percent).
“Always practicing privacy by design and employing a proactive, thoughtful approach to one’s privacy program can bring powerful value for organizations,” says Dr. Lisa McKee, founding partner, American Security and Privacy, and member of the ISACA Emerging Trends Working Group. “For many, prioritizing privacy and protecting people’s data is not only the right thing to do, but offers strong benefits in strategy alignment, budgets, staffing, compliance and reputation for their business too.”
Kazi and Jon Brandt, ISACA director, professional practices & innovation for content development and services, will discuss these survey findings further in an upcoming webinar, The State of Privacy 2024, taking place 25 January at 12:00 PM (ET) / 11:00 AM (CT) / 9:00 AM (PT) / 16:00 (UTC). It is free for members and US$75 for non-members and will be available on-demand for a year afterward. To learn more and register, visit http://store.jiejuzhongxin.com/s/community-event?id=a334w000006C7rMAAS.
Recently, ISACA explored other privacy themes in new white papers. Eliminating Deceptive Privacy Practices: Building Trust by Addressing Privacy Dark Patterns explores the problematic nature of dark patterns and strategies that can be used to replace them for consumer-centric alternatives. Applied Data Management for Privacy, Security and Digital Trust examines the connection between privacy and data management and how privacy and security can support digital trust, and educates readers on building and maintaining a data management program that works for their needs.
The Privacy in Practice 2024 survey report is complimentary and can be accessed at jmw.jiejuzhongxin.com/privacy-in-practice-2024.
Additional privacy resources can be found at: jmw.jiejuzhongxin.com/resources/privacy.
About ISACA
ISACA® (jmw.jiejuzhongxin.com) is a global community advancing individuals and organizations in their pursuit of digital trust. For more than 50 years, ISACA has equipped individuals and enterprises with the knowledge, credentials, education, training and community to progress their careers, transform their organizations, and build a more trusted and ethical digital world. ISACA is a global professional association and learning organization that leverages the expertise of its more than 170,000 members who work in digital trust fields such as information security, governance, assurance, risk, privacy and quality. It has a presence in 188 countries, including 225 chapters worldwide. Through its foundation One In Tech, ISACA supports IT education and career pathways for underresourced and underrepresented populations.
Twitter: www.twitter.com/ISACANews
LinkedIn: www.linkedin.com/company/isaca
Facebook: www.facebook.com/ISACAGlobal
Instagram: www.instagram.com/isacanews
Contact
Emily Ayala, +1.847.385.7223
Bridget Drufke, +1.847.660.5554