Organizations that practice privacy by design are more likely to be confident in their ability to protect the privacy of sensitive data, according to new research from ISACA.
ISACA’s Privacy in Practice 2023 survey report, released ahead of Data Privacy Day on 28 January, finds that those enterprises that always practice privacy by design reap rewards but also must work through significant challenges when it comes to privacy budgets, staffing and skills gaps.
The survey report—reflecting the insights of 1,890 global respondents who currently work in data privacy or have detailed knowledge of the data privacy function within their organization—is released as the new year presents a critical opportunity for organizations to revisit their approaches to privacy and data protection.
Privacy by Design an Enterprise Strength
The survey found that those organizations that always practice privacy by design (30 percent, up four points from 2022) are one-and-a-half times more likely to be completely or somewhat confident in their organization’s ability to ensure the privacy of its sensitive data (65 percent vs. 40 percent total) and more likely to see their organization’s privacy strategy aligned with organizational objectives (92 percent vs. 73 percent total).
Additionally, these organizations that always practice privacy by design:
- Feel that their board properly prioritizes privacy (76 percent compared to just 55 percent total)
- Have more employees in privacy roles within their organization (the median privacy staff size is almost twice as large at 19 compared to 10 total) and are more likely to feel that their privacy department is adequately staffed (44 percent vs. 34 percent total).
Privacy Program Obstacles
However, respondents indicated that there are obstacles to forming a privacy program, with the top three being:
- Lack of competent resources (42%)
- Lack of clarity on the mandate, roles, and responsibilities (40%)
- Lack of executive or business support (39%)
While most survey respondents believe that their boards of directors adequately prioritize privacy (55 percent), 22 percent do not believe that their board prioritizes privacy and 20 percent do not know. This could suggest that boards have an opportunity to improve their communication about their commitment to privacy efforts. Thirty-eight percent of respondents say that a lack of visibility and influence in the organization is another challenge.
Privacy budgets also remain underfunded at many organizations, with more than half of respondents (52 percent) feeling their privacy budget is underfunded and only 36 percent citing it as appropriately funded, and just over a third of respondents (36%) indicating their privacy budgets will increase in 2023.
While 75 percent of respondents are confident in their organization’s ability to ensure the privacy of its sensitive data, this confidence is declining—down six points from last year.
Staffing Shortages, Skills Gaps
When it comes to resources, privacy staff shortages persist and the demand for both technical and legal/compliance roles is expected to increase next year. Technical privacy roles remain more understaffed than legal/compliance roles, with 53 percent of respondents indicating they are somewhat or significantly understaffed, versus 44 percent, respectively. The survey also found that unfilled positions are expected to increase year over year (34 percent saying this is the case for technical privacy roles and 27 percent for legal/compliance roles). Additionally, technical privacy roles (69 percent) are more likely to have increased demand in the next year compared to legal/compliance roles (62 percent).
Most also indicated that the amount of time to fill roles increased or stayed the same as last year, with 76 percent having the most difficulty hiring expert level privacy professionals. Around one-fifth of respondents say that less than one quarter of applicants for privacy roles at their enterprises were qualified for those positions.
“Organizations may have the best intentions in complying with privacy regulations and building a privacy by design culture, but without a strong team of privacy practitioners, they face significant obstacles to achieving these goals,” says Safia Kazi, ISACA principal, privacy professional practices. “With the increased need for these privacy practitioners’ technical and legal expertise to keep pace with the regulatory landscape, it is more important than ever to cultivate and train a strong, skilled privacy workforce to meet the demand.”
Taking Action
To fill this skills gap, organizations are training to allow non-privacy staff to move into privacy roles (49 percent) and increasing their usage of contract employees or outside consultants (38 percent).
In terms of privacy failures, respondents cited the most common causes as lack of training (49 percent), data breach (42 percent) and not practicing privacy by design (42 percent). To tackle this, 85 percent of respondents indicate their organization provides privacy awareness training for employees, and 59 percent review and revise privacy awareness training at least annually. Though the metric used most often to measure training effectiveness is the number of employees completing training (65 percent) instead of a decrease in privacy incidents (54 percent), 73 percent believe that privacy training has had a positive impact on privacy awareness in the organization.
“Protecting data privacy goes hand in hand with digital trust,” says Michelle Finneran Dennedy, director, ISACA Digital Trust Advisory Council. “Enterprises that commit to a privacy by design approach, devoting staff, resources and training toward advancing privacy, are able to instil confidence and build a positive reputation with both external and internal stakeholders.”
“This is just the beginning of the privacy journey for many organizations,” privacy expert Lisa McKee wrote in a recent ISACA Now blog post. “There are always opportunities to evolve and advance privacy across the organization. Just start somewhere. Privacy is complex and multi-disciplinary. It is not about getting it right, but instead just starting somewhere. No matter what happens, one thing is certain: privacy is here to stay as an important digital trust discipline. Climb aboard for a journey that will be similar to what security has gone through over the past 20 years.”
Download a complimentary copy of the Privacy in Practice 2023 survey report. Additional resources from ISACA can be found here, and ISACA’s privacy-focused online Engage community can be visited here. During Data Privacy Month, privacy professionals can join ISACA before the end of February 2023 to gain member access to privacy resources and get a US$20 cash card.