A recent global survey conducted by digital trust leader ISACA, Privacy in Practice, sheds light on the top data privacy considerations that organisations are facing in 2023. What is glaringly apparent is that many of these challenges can be successfully avoided, better managed and overcome when both the technical and compliance privacy teams work together.
Privacy practitioners can be classified into one of two groups – compliance professionals who bring the legal know-how and knowledge of privacy laws and regulations; and technical professionals who bring the expertise to apply controls to protect data and achieve compliance.
These teams should not be siloed, yet I have seen many times when they operate disparately from each other.
In Australia and New Zealand 46 percent of survey respondents said a barrier to implementing a privacy program is a lack of clarity on the mandate, roles and responsibilities of privacy professionals. And 42 percent reported a lack of executive support when it comes to implementing a privacy program.
I want to explore some of the potential drivers behind these concerning figures.
The survey indicates privacy budgets remain underfunded at many organisations, with only 31 percent of respondents saying their privacy budget is adequately financed. It is no surprise that lack of funding leads to under-staffing of privacy teams, resulting in some cases with a cross-over of roles and responsibilities, making it extremely challenging to implement a successful privacy program.
However, as cybersecurity and privacy become increasingly legislated and prioritised in Australia and New Zealand, I expect to see a positive change in this result, with organisations redirecting funds to ensure they comply with updated privacy regulations and protect customer data.
Staffing Shortages and Skills Gaps
Interestingly, the survey points to another factor that may be contributing to a lack of cohesion among compliance and technical teams, which is the disproportionate levels of staffing.
For Australia and New Zealand respondents, technical privacy roles remain more understaffed than legal/compliance roles, with 56 percent of respondents indicating they are somewhat or significantly understaffed, versus 46 percent respectively. The survey also found that 83 percent of respondents expect increased demand for technical privacy roles in the next year, compared to legal/compliance roles (73 percent).
It’s good to see some positive steps being taken to fill this skills gap. Organisations are training to allow non-privacy staff to move into privacy roles (54 percent) and increasing their use of contract employees or outside consultants (48 percent).
This training process provides an excellent opportunity to reinforce the importance of cohesive teams and the power of compliance and technical teams supporting and educating each other.
Though the metric used most often among Australia and New Zealand respondents to measure training effectiveness is the number of employees completing training (63 percent) instead of a decrease in privacy incidents (58 percent), 77 percent believe that privacy training has had a positive impact on privacy awareness in the organisation.
Moving forward – Privacy by Design
The ultimate goal of any organisation is to practice Privacy by Design. This means establishing well-developed privacy practices into the very core of the organisation and across all aspects of IT systems and business practices. Not only does this help protect against financial and security risk, but it safeguards the reputation of an organisation from the harmful effects of a privacy breach.
It’s encouraging that organisations consistently practicing privacy by design (30 percent, up two points from 2022) are at an advantage. In Australia and New Zealand, they are one and a half times more likely to be confident in their organisation’s ability to ensure the privacy of its sensitive data and more likely to see their organisation’s privacy strategy aligned with organisational objectives (81 percent vs. 73 percent total).
Additionally, organisations in ANZ that always practice privacy by design believe addressing privacy with documented privacy policies is mandatory (92 percent).
While we must all aspire to achieving Privacy by Design in our organisation, it is only possible with a cohesive privacy team that understands and respects each other, with clearly defined roles and responsibilities.
And this starts at the top.
When executives prioritise Privacy by Design and reinforce the importance of a connected privacy team, they are much better placed to tackle the myriad privacy concerns facing enterprise today.
To download a complimentary copy of the Privacy in Practice 2023 survey report, visit www.isaca.org/privacy-month-2023.