Survey says more attention being paid to data privacy, but still a ways to go

Data privacy has gotten its fair share of attention these days, what with the high-profile data breaches that have taken place in recent months. Fittingly, PricewaterhouseCoopers released the results of its 2013 data privacy survey late last year, in which the 370 participants represented both board level members responsible for oversight of privacy programs within their organization and practitioners involved in day to day operations.

While some of the statistics were reassuring and showed that data privacy is growing in importance, it would appear that there's still a ways to go before it gets the amount of attention it deserves.

For instance, one of the many statistics indicated that the majority of respondents considered consumer privacy a "medium priority." By PwC's definition, this means that it's a business concern that gets "some attention."

That being said, what the statistics did not necessarily indicate is that a lot depends on the sector being discussed, said Carolyn Holcomb, a partner and leader in PwC's Risk Assurance Data Protection and Privacy Practice. Different areas like the financial and healthcare sectors clearly prioritize consumer privacy more than others. One example Holcomb gave was B2B companies that are, in essence, not part of the front line like retailers are.

"People in [sectors like financial or healthcare] will tell you that privacy is among their top 10 risks," said Holcomb. "It's when you expand that to other sectors that don't collect as much consumer information that you don't see as high of a risk."

But it's difficult to deny that privacy awareness isn't quite where it should be. Study results said that 47 percent of board members felt that while they were aware of privacy issues, they weren't aware of the impact they have on their organization (while an additional 13 percent said that they weren't even aware of the issues at all).

One possible reason for the lack of awareness is that, according to the study, 54 percent of board members admitted to relying on internal communications rather than one-on-one meetings to stay informed on privacy issues.

"Some of that is still related to a lack of education. Board education still has a way to go," said Holcomb in reference to the lack of face-to-face meetings. "Board members still aren't sure what they're missing. It goes back to that confusion that security and privacy are the same, so they see a security presentation and think they don't need anything else."

Naturally, the unfortunate implication here is that more often than not, board members may not be aware of the impact privacy risks might have on their companies. "There might be a privacy risk, but they'll think, 'We have a lawyer, we have a privacy policy, so everything must be okay,'" said Holcomb. "There's a lack of understanding of the risk."

Regardless of how companies perceive the importance of privacy on the whole, they do seem to be, at the very least, discussing it more. The study results indicated that while the majority of respondents -- 39 percent -- were only discussing privacy issues at the board level annually, the number of companies that are discussing them more frequently wasn't far behind. That number is on the rise year over year according to Holcomb, with 23 percent of respondents saying that they discuss privacy issues quarterly.

"We've seen a big difference in how companies look at privacy versus security," said Holcomb. "Privacy is still up and coming. The boardrooms are really just starting to catch on and saying that security and privacy are different, and that [they] need to focus on privacy."

And in the long run, this obviously stands to benefit the company. As Holcomb points out, as both the company and board members become more educated on what exactly privacy means, they're beginning to keep the promises that they make to their consumers.

"The question is, if you put out a privacy notice and tell [consumers] what you're going to do or not do with their data, are you keeping those promises?" said Holcomb. "By getting additional information, companies are now better understanding the risks." Armed with better understanding, board members are becoming more focused on what their privacy notices say and what changes are coming about in their companies. This leads towards what Holcomb referred to as "privacy by design" and determining whether they are designing privacy into their products/services and whether it is done upfront.

"Now they're making sure the front end is in sync with the backend," said Holcomb.

This, according to Holcomb, is the key to an effective approach to privacy policies. Many organizations have a privacy notice out upfront, but they also need to be aware of what the backend systems are doing.

"There needs to be a governing structure of people that are looking at that linkage, communicating it to the board, and a program in place that is keeping that linkage tight all that time so you don't have a privacy problem," said Holcomb.

If the study results are any indication, avoiding those "privacy problems" appears to be a number one priority. The survey concluded that compliance and governance are "top of mind" for most board members, which would suggest, at face value, that this perhaps is limiting the scope of some companies' privacy policy as they just try to tick off the next box. But coming in a very close second place was "enhancing trust in brand" and many companies are now trying to focus on both.

"The big focus today is how to take all the compliance requirements and try to streamline them," said Holcomb. "58 percent of the respondents said [that their strategy is] both compliance and brand maintenance. Compliance is important and yeah, you maybe check the box, but you're also focused on privacy because you want to protect your brand and build trust with your consumers."

That desire to streamline was made apparent in the survey results, as the majority of practitioners (57 percent) cited streamlining and improving the efficiency of their existing processes as a higher priority than expanding their programs. Again, it would be tempting to think that this may be indicative of a dismissive attitude towards privacy, but Holcomb insists this is not the case.

"It's just gotten overwhelming when you look at compliance in all the different areas where a company needs to comply," said Holcomb. "Companies need to figure out which technology, which group of people, which governance programs they need to cover all of these compliances, including privacy. It's not an attitude towards privacy specifically, it's that the list has gotten so long. It makes it quite a challenge for companies to comply all with time with all requirements."

Holcomb pointed out that the US does not have a federal privacy law; rather, we have state and sectorial laws, which make building a privacy compliance program very complex since it depends on where consumers, not the headquarters, reside. This, of course, means that once all of the consumers are accounted for, the laws become numerous and complicated.

"So having a compliance program to even meet the privacy regulations is challenging," said Holcomb.

That's why specialized roles, like chief privacy officers, are rising in prominence. Though that statistics indicated that the most common executive title held by privacy leaders is still General Counsel at 32 percent, chief privacy officer came in second at 24 percent. Though handling privacy issues was once a responsibility of CSOs, they are becoming decreasingly responsible -- only 8 percent said that CSOs were their privacy leaders -- as the more specialized players step into their roles.

"[Being a privacy leader] is becoming more of a legal function," said Holcomb. "They have to coordinate with the security teams and others in the organization. The role is being given to someone, generally a lawyer, who is focused on the laws. But they also need to look at the people, processes, and technologies, so there's a lot of internal coordination. You need a cross-functional team."

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about CounselPricewaterhouseCoopersPricewaterhouseCoopers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Hatchimonji

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts