The Data Privacy Imperative—Organizations Worldwide Work Toward Being Compliant

Ensuring data privacy is now a worldwide concern, with many countries adopting data protection laws, Much work still needs to be done to ensure the privacy of information, Tools and training are keys to success

The need for better data privacy has become a worldwide focus, and this year is likely to see a host of new privacy laws advance through governments and take effect.

The trend began in earnest a few years ago with the European Union’s General Data Protection Regulation (GDPR), and more than 80 countries and independent territories have now adopted comprehensive data protection laws.

While the U.S. has not adopted a national information privacy law, some states such as California have enacted laws on their own, and many others have active legislative efforts underway.

Privacy laws cover a range of issues related to how organizations should gather, store, and use information that pertains to individuals. They’re designed to safeguard the data, ensure transparency and accountability regarding the use of the data, and make sure the data is timely and accurate—among other provisions.

These regulatory initiatives, while not perfect, are important developments in the age of digital transformation. Who doesn’t want their personal information—financial history, healthcare records, purchasing preferences, etc.—protected from falling into the wrong hands or from being misused by companies?

On the other hand, for many businesses the data privacy movement represents a significant burden in terms of the steps they need to take and the resources they need to devote in order to be compliant. Nevertheless, it’s a responsibility they have to take seriously, or face significant penalties and other negative consequences.

From the looks of things, much work still needs to be done in ensuring the privacy of information. A recent report from ISACA, an organization that provides training and education services for IT professionals, shows critical skills gaps related to data privacy.

The report, Privacy in Practice 2021: Data Privacy Trends, Forecasts and Challenges, is based on a survey conducted in the third quarter of 2020 of 1,873 professionals who work in data privacy or have knowledge of their organizations’ data privacy functions. A majority of respondents who work at organizations that always follow a “privacy by design” strategy (77%) think their boards of directors prioritize privacy. That compares with 52% of all respondents.

Those at privacy by design organizations are also less likely to view privacy programs as driven solely by compliance (22% vs. 34% total) and are more likely to be driven by a combination of compliance and ethics (62% vs. 52% total). They are also more likely to report that their enterprise privacy strategy aligns with organizational objectives (90% vs. 69% total).

On the other hand, even though enterprises consistently using privacy by design are nearly two-and-a-half times more likely to be completely confident in their organizations’ ability to ensure data privacy and achieve compliance with new privacy laws and regulations, there was not a meaningful difference in the number of privacy breaches experienced in the last 12 months.

About 10% of both groups reported breaches, and ISACA experts think such attacks are potentially underreported.

Respondents identified some common privacy failures, including a lack of training or poor training, failure to perform a risk analysis, and bad or nonexistent detection of personal information. The most helpful ways to overcome these obstacles are using a privacy principles framework, experience-based credentials and privacy training.

In addition, organizations are using privacy controls such as encryption, identity and access management, and data security.

Many are expecting increased demand for technical privacy roles compared with legal/compliance roles, but they see more challenges in staffing technical privacy teams compared with legal/compliance teams. Technical privacy roles are more likely to be considered understaffed.

To overcome this, hiring managers at companies are finding ways to fill these roles by training other employees. Nealy half of those surveyed said they have been training non-privacy staffers who are interested in moving into privacy roles, and a large majority indicated they have privacy professionals on staff who began their careers in IT or security and moved into privacy and compliance.

Organizations can’t view data privacy as a “one-time, check-the-box activity” to comply with regulations, the report said. The Covid-19 pandemic highlights the extreme consequences of having a weak privacy posture and lack of respect for personal data.

As the study concludes, the substantial financial and reputational harm associated with violating privacy laws and regulations has made privacy a priority for boards of directors at companies. Despite economic uncertainty resulting from the Covid-19 pandemic, privacy is still funded and prioritized.

The shift to remote work underscores the importance of a strong privacy program, and few organizations anticipate decreases in privacy budgets despite the financial challenges.

Organizations need to have in place the technology tools as well as the skills to manage and support privacy programs.