Sydney, Australia (23 January 2023) – A web of complex and ever-evolving data privacy regulations – including strengthening of Australia’s online privacy legislation – is having an impact, with less than half of respondents in Australia and New Zealand finding it easy to understand their organisation’s privacy obligations. In addition, only 35 percent report being highly confident in the ability of their organisation’s privacy teams to ensure data privacy and achieve compliance with new privacy laws and regulations.
ISACA’s Privacy in Practice 2023 research report finds those enterprises that consistently practice privacy by design reap rewards, but many face challenges getting there because of privacy budgets, staffing and skills gaps.
Jo Stewart-Rattray, Information Security Advisory Group, ISACA said enterprises must stay compliant and protect the privacy of their data subjects or lose trust and take a hit to their reputation.
“We have seen a remarkable increase in the volume and sophistication of data breaches in Australia over the past year and this new research serves to validate and urge enterprises to prioritise privacy by design,” said Stewart-Rattray. “This means ensuring that good privacy practices are built into your organisation’s decision-making and digital transformation from the outset. It is an investment that will return benefits in the form of consumer trust, reputational respect and in turn, financial security.”
The ROI of Privacy by Design
The survey found that organisations consistently practicing privacy by design (30 percent, up two points from 2022) are at an advantage. In Australia and New Zealand they are one and a half times more likely to be confident in their organisation’s ability to ensure the privacy of its sensitive data and more likely to see their organisation’s privacy strategy aligned with organisational objectives (81 percent vs. 73 percent total) compared with global results of 92 percent vs 73 percent total.
Additionally, organisations in ANZ that always practice privacy by design believe addressing privacy with documented privacy policies is mandatory (92 percent vs 73 percent total).
Privacy Program Obstacles
The ISACA research identified three top obstacles to forming a privacy program:
- Lack of competent resources (50 percent vs 42 percent globally)
- Lack of clarity on the mandate, roles and responsibilities (46 percent vs 40 percent globally)
- Lack of executive or business support (42 percent vs 39 percent globally)
Only half of all Australia and New Zealand respondents believe their board of directors adequately prioritises privacy (50 percent vs 55 percent globally), which suggests an opportunity for boards to improve communication about their commitment to privacy efforts.
Privacy budgets also remain underfunded at many organisations, with only 31 percent of respondents saying their privacy budget is appropriately funded (compared to 36 percent globally).
Staffing Shortages, Skills Gaps
When it comes to resources, privacy staff shortages persist and the demand for both technical and legal/compliance roles is expected to increase during 2023. For Australia and New Zealand respondents, technical privacy roles remain more understaffed than legal/compliance roles, with 56 percent of respondents indicating they are somewhat or significantly understaffed, versus 46 percent respectively (globally 53 percent vs 44 percent respectively). The survey also found that 83 percent of respondents expect increased demand for technical privacy roles in the next year (69 percent globally), compared to legal/compliance roles (73 percent vs 62 percent globally).
“Organisations may desire to comply with privacy regulations and build a privacy by design culture, but without a strong team of privacy practitioners, they face significant obstacles to achieving these goals,” says Safia Kazi, ISACA principal, privacy practices. “With the increased need for these privacy practitioners’ technical and legal expertise to keep pace with the regulatory landscape, it is more important than ever to cultivate and train a strong, skilled privacy workforce to meet the demand.”
To fill this skills gap, organisations are training to allow non-privacy staff to move into privacy roles (54 percent vs 49 percent globally) and increasing their use of contract employees or outside consultants (48 percent vs 38 percent globally).
Respondents cited the most common causes of privacy failures as lack of training (58 percent vs 49 percent globally), data breach (48 percent vs 42 percent globally) and not practicing privacy by design (56 percent vs 42 percent globally). To tackle the most common cause of privacy failures, 85 percent of respondents globally report that their organisation provides privacy awareness training for employees but only 59 percent percent review and revise privacy awareness training at least annually (48 percent of Australia and New Zealand respondents).
Though the metric used most often among Australia and New Zealand respondents to measure training effectiveness is the number of employees completing training (63 percent vs 65 percent globally) instead of a decrease in privacy incidents (58 percent vs 54 percent globally), 77 percent believe that privacy training has had a positive impact on privacy awareness in the organisation (73 percent globally).
The survey report—reflecting the insights of 1,890 global respondents with 62 in Australia and New Zealand who currently work in data privacy or have detailed knowledge of the data privacy function within their organisation—examines privacy staffing, organisation structure, frameworks and policies, budgets, training, and data breaches.
To download a complimentary copy of the Privacy in Practice 2023 survey report, visit www.isaca.org/privacy-month-2023. ISACA is a nonprofit, independent professional association with 165,000 members in 188 countries. Members represent all areas of digital trust, including data privacy.
ISACA® (www.isaca.org) is a global community advancing individuals and organisations in their pursuit of digital trust. For more than 50 years, ISACA has equipped individuals and enterprises with the knowledge, credentials, education, training and community to progress their careers, transform their organisations, and build a more trusted and ethical digital world. ISACA is a global professional association and learning organisation that leverages the expertise of its more than 165,000 members who work in digital trust fields such as information security, governance, assurance, risk, privacy and quality. It has a presence in 188 countries, including 225 chapters worldwide. Through its foundation One In Tech, ISACA supports IT education and career pathways for under-resourced and underrepresented populations.
Karen Keech firstname.lastname@example.org 0411 052 408