The following is a guest post from Brian Kudowitz, Bloomberg Law’s Commercial Product Director for Privacy and Data Security.
A robust and successful privacy program requires proactivity, resources, business-integration and employee fluency. Yet organizational privacy leaders face many obstacles, including budget constraints, cultural inertia and ineffective communication.
Many organizations have a clear view about what the most significant privacy risk factors are likely to be, and what controls are needed to manage them, according to new research from Bloomberg Law and the International Association of Privacy Professionals (IAPP).
However, there is a startling lack of readiness to implement those controls. In particular, it is essential that the C-suite should be better informed and more actively involved in privacy risk management decisions. Therefore, organizations are more vulnerable than they might initially appear to be.
Recently, Bloomberg Law, along with IAPP, set out to benchmark corporate privacy risk assessment and mitigation practices in a global study. The focus was to provide insight and clarity to an industry in the midst of growing pains attributable to shifting regulatory landscapes, evolving technology and emerging issues.
Bloomberg and IAPP worked with 350 executive-level privacy professionals from across the globe, including the United States, Canada and Europe.
There were a few instances in which U.S. and non-U.S. respondents’ answers differed significantly, especially in the varying philosophical approaches to privacy and data security displayed between respondents in the U.S. and EU.
For example, non-U.S. respondents were less concerned about the risk of breaches, and placed less emphasis on vendor management and cyber insurance as risk mitigation measures than their U.S. peers. In general, the EU data protection culture is less focused on breach preparedness and response, research found.
Respondents outside the U.S. also placed less emphasis on budget and interdepartmental communication.
Organizations inside and outside of the U.S. differently prioritized actual risks. Brand impact and data breaches were unsurprisingly identified as top risks by both U.S. and non-U.S. companies. But, non-U.S. respondents placed significantly greater emphasis than U.S. companies on the risk of regulatory enforcement.
It is possible to address the gaps—but it all comes down to leadership
Leveraging the corporate board as a championing force is the most effective way to drive the change necessary.
While there was relative uniformity around what are considered the most important risk mitigation controls—such as board buy-in, training and education, vendor management, employee monitoring, interdepartmental communication and program maturity—there was a startling level of disharmony between those controls and the stated readiness in implementing those controls, the research found.
Most companies are still maturing their privacy programs. At the highest level, the gaps indicate that corporations need to invest more in proactive approaches to keep up with the dynamically changing landscape and their own evolving business needs.
Reacting to privacy concerns
A purely reactive stance no longer works, research found. Incidents have increased by 38% over the past year, including some of the largest breaches to date, and key industries are still lagging in terms of security.
For instance, the study shows that there is tremendous focus, yet low readiness, to manage privacy risk with crucial business dependencies, such as third-party vendors. A significant portion of breaches stem from current and former vendors, such as the Target breach.
There was also a low confidence expressed with respect to managing privacy risk around human capital, namely with respect to monitoring employees. This is particularly troublesome for numerous reasons, considering that a significant portion of breaches can be attributed to current and former employees.
Organizations can close privacy gaps by taking proactive approaches, such as developing procedures to carry out regular privacy impact assessments and designing privacy into new product and service development. That requires making privacy risk management a natural and integrated part of organizational behavior and decision-making, just as with financial discipline, human resources and intellectual property protection.
Such actions require a cultural shift, which must come from the top. Leadership buy-in is an essential risk control, according to the study. In fact, respondents also indicated that multiple members of the C-suite should be involved in risk assessment.
Another proactive approach lies in ongoing training and education within an organization. Some of the greatest gaps identified in the study relate to training and education, interdepartmental communication, budget and program maturity. Those are also controls most directly impacted by leadership buy-in as they relate to both organizational culture and fiscal concerns.
Top-down approach to privacy
While corporations can attempt to address those privacy gaps piecemeal, the research found that attempts to shore up a privacy program have significant top-down dependency.
Privacy controls are only as strong as board support. It is not just an issue of resources to put in place a central privacy program, but also one of facilitation and adoption across numerous parts of complex multinational organizations.
Leadership may need to enable cultural shifts to ensure interdepartmental communication and the necessary human capital and programs for improved employee privacy education.
Leveraging the board as an asset to champion privacy is a necessary component of business operations, and even as a market-facing value proposition, will help resolve many such gaps stemming from the need to grow.
There is still much more to be done in bringing risk controls into accord with stated best practices. It is clear, however, from the study data and incident trends that as companies develop their privacy programs, taking a proactive stance in line with the realities of their business models is essential, with respect to regular risk assessment and other privacy controls.