Many boards don’t make put privacy as one of their organization’s priorities, a survey of professionals suggests.
According to the annual state of privacy survey of members of ISACA (formerly known as the Information Systems Audit and Control Association) — released in conjunction with Data Privacy Week — 22 per cent feel their boards don’t put a priority on privacy, A further 20 per cent said they don’t know if their boards adequately prioritize privacy. Fifty-five per cent believe privacy is a priority with their boards.
“It’s not entirely surprising,” Safia Kazi, ISACA principal for privacy practices, said in an interview. “I think a lot of people view privacy as a cost centre. Its something that maybe slows down a project. You acquire a new program or resource and you go ‘Is it GDPR compliant? Do we have to start over again [with a new privacy assessment]?’ I think that’s where some of that comes from. The other thing I found is that 20 per cent of our respondents said they don’t know if their board prioritizes privacy. That could speak to a board that maybe isn’t communicative about it (privacy).”
The 55 per cent who believe their boards do prioritize privacy is slightly higher than the 2021 survey, she added. “I think in general we’re moving in the right direction, but there is some way to go.”
The survey, conducted in the fourth quarter of 2022, saw responses from 1,890 ISACA members who currently work in data privacy or have detailed knowledge of the data privacy function within their organization. Questions were asked on privacy staffing, budgets, program trends, awareness training and breaches, and the use of privacy by design.
Among the results, Kazi noted, is that organizations that practice privacy by design are more likely to have a board that adequately prioritizes privacy and have larger numbers of employees dedicated to setting and enforcing privacy policies.
“The tone really can start at the top,” she said. “When you don’t have that support, it can be really hard to get the resources you need.”
Another noteworthy finding is that 31 per cent of respondents said their organization doesn’t separate privacy and security training for employees. “That was a little disappointing,” Kazi said. “I think the problem is a lot of people [in management] have security training and think, ‘Privacy is close enough. What’s the difference?’ My concern is that, if you are just teaching people security and not privacy, you’re not really building trust with customers. If the organization is collecting too much of someone’s personal information, that’s not necessarily a security issue but it would be a privacy issue.”
“But I also want to point out that organizations have so much they have to do. You can’t be taking up everybody’s time with a thousand security training and privacy training meetings. My hope is that organizations that combine privacy and security training have a specific call-out to privacy and give it the attention and time it needs.”
“One trend that makes me optimistic is it looks like privacy is faring a little bit better than it has in previous years,” she said of other survey results. “Privacy teams are a little bit larger than they were last year and the year before. Also, we’re seeing that members are less likely to say they were understaffed this year compared to last year. That said, understaffing is still a challenge, filling open privacy positions is a big challenge.”
Overall survey results suggest that, “for the most part”, enterprises realize privacy isn’t going away, she said, with many organizations trying to ensure privacy teams have the resources they need.
Among other survey results, 42 percent of respondents said their privacy budget is underfunded, and only 36 percent believe it is appropriately funded. Just over a third of respondents (34 percent) indicate their privacy budgets will increase in 2023.
ISACA offers certifications for information systems governance, control, risk, security, audit/assurance and business and cybersecurity professionals.
To read the survey, click here. Registration required.