Privacy is a thriving industry undergoing rapid growth, yet there is relatively little data about how the work of privacy is done, according to the International Association of Privacy Professionals (IAPP) and EY. In an effort to address the issue, the two organizations commissioned a survey to document the status of privacy governance today. Last week, they released a report based on their data.
Overall, the findings were positive, though the organizations say there is still room for improvement.
"We found that privacy professionals earn well, are trained in law, business and technology, influence a broad swath of departments across their organizations and are increasingly part of strategic management teams," said the report. "At the same time, privacy programs clamor for additional resources and seek more sophisticated and efficient technological tools to monitor, manage and protect data flows in their organizations."
The data revealed several interesting trends. First, there is a strong correlation between the maturity of privacy programs and company size. The privacy programs in large companies are better staffed (24 professionals on average) and resourced ($1 million on average) than those in small and medium size enterprises (two and $75,000, respectively).
However, most privacy professionals surveyed said they expect their staff and budgets to grow over the next year. Most also said their influence within their organizations is growing. Increasingly, the leading privacy role (Chief Privacy Officer or similar) is on par with the Chief Information Security Officer, found the report.
When it comes to how an organization addresses security, the report found significant differences among unregulated and regulated industries. Unregulated industries reported a greater investment in privacy programs and a stronger focus on risk mitigation, brand management and consumer expectations (they also tend to position privacy as a competitive differentiator). Meanwhile, regulated industries understandably tend to place greater focus on compliance and accountability processes.
Government programs, meanwhile, reported low budgets and staff shortages and a focus on compliance and prevention of data loss.
"There are clearly still low budgets and a lack of staff resources for privacy programs at government agencies," said Omer Tene, vice president of Research and Education at IAPP. "In comparison to the private sector, government is investing fewer resources, privacy budgets are smaller and people feel their career opportunities in this space are more restricted than they are in the private sector."
Train, train, train
Fortunately, said Tene, organizations can take steps to improve privacy efforts regardless of budget. Training employees to recognize and identify data privacy issues is one key way to do so, but such training shouldn’t be restricted only to the CPO or equivalent and his/her team.
"Increasingly, we see companies training large numbers of employees about privacy," said Tene. "We've actually seen companies offer training to thousands of employees. Anyone who touches personal data of consumers or of other employees in their day-to-day activities is being trained to recognize and identify privacy issues, and to at least have the ability to escalate problems if they encounter them."
Overall, Tene said the importance of privacy for any business, organization, or government speaks for itself today.
"After major data breaches at OPM, Ashley Madison, Anthem Health, etc., I think we are beyond the point of trying to figure out if this is important and more at the point of having to think of what the solutions are," he said. "This survey provides a good benchmark to at least see what organizations are doing."