Data privacy, privacy management, digital privacy, data protection – the list goes on when it comes to data privacy and protection imperatives. The phrase “Data is the new oil” was coined considering the growing importance of personal and organizational data. As a result, data privacy protection concerns are driving new regulations around the world, and customers and consumers are more aware of the consequences of data breaches and data leakage. As they act to protect online data privacy and improve personal data protection, organizations that go beyond just complying with all the new requirements build trust with consumers and users and stand out from their competitors. Some of the key questions around privacy are:
- What are the challenges faced by organizations during the formation and implementation of a privacy program?
- Do organizations have competent technical privacy teams?
- Is data privacy a one-time job?
- How has COVID-19 impacted organizations in terms of budgeting and funding for data protection initiatives?
- Are there enough resources and skilled people available to bridge the gap in privacy skills?
Along those lines, ISACA recently conducted a privacy survey, asking respondents about their enterprise privacy hiring and workforce trends, challenges pertaining to data privacy, and regulations and frameworks that guide privacy programs.
An important finding of the survey is the lack of clarity on the mandate, roles and responsibilities to form a privacy program: 45% of the survey respondents say that due to the numerous privacy regulations in effect, it is not clear which laws and regulations their organizations are required to comply with. Another major finding is the lack of management and business support (41%) and lack of competent and skilled privacy resources (41%) that can initiate and form a mature privacy program within the organization. This shows a major gap in skilled resources in the market and the need for the professionals to upgrade their data privacy and protection skills.
An Ongoing Focal Point
When asked about the frequency of data privacy trainings, 14% of the respondents indicate that no trainings are provided to them by their enterprises, while 67% of the respondents report that privacy trainings are provided on annual basis. This is another concern because enterprise-wide privacy training is an important way to ensure that all staff understand the importance of privacy and the gravity of privacy violations, and these trainings and awareness sessions must be ongoing, not just a one-time job.
Funding and Organizational Commitment
When it comes to organizations’ funding towards privacy programs, almost 50% of the survey participants believe that their privacy budgets are under-funded, while only 34% respondents report that their privacy programs are appropriately funded. This is where top leadership and management has to play its part to ensure organizations allocate enough budget to meet the requirements of data privacy and security.
A substantial percentage of the respondents (46%) report that their organizations perform a privacy risk assessment on periodic basis, while 37% report that their organizations undergo a periodic privacy audit/assessment. Privacy risk assessments, privacy impact assessments, privacy self-assessments and privacy audits/assessments are viable methods of evaluating program effectiveness.
Finding the Right People
Another key focus area of the survey was hiring and workforce trends. Many organizations face a challenge in hiring the right people for privacy positions due to the fact that the demand for skilled privacy professionals exceeds the supply, and it may take a while to fill open positions. Many organizations no longer require applicants for privacy positions to have a legal/compliance background, possibly due to vacancies in privacy roles: 17% of the respondents report that there are vacant privacy positions in legal/compliance, while 25% report that technical privacy positions are vacant, and 14% respond that it takes more than six months to fill those technical privacy positions. The majority of the survey participants agree that demand for privacy professionals will increase: 59% believe that the demand for legal/compliance will increase, while 70% believe the demand for technical privacy roles will increase.
Finally, when asked about the adoption of different frameworks and guidelines, 82% of respondents in Europe indicate that the GDPR is used to manage privacy, while 58% of respondents in the United States use the National Institute of Standards and Technology (NIST) Privacy Framework to manage privacy. ISO/IEC 27002:2013 comes in at no. 3.
The Final Verdict
Privacy laws and regulations seem to be evolving as quickly as the technology landscape. New and emerging technologies may be used for privacy-related tasks. The substantial financial and reputational harm associated with violating privacy laws and regulations has made privacy a priority for boards of directors. Despite economic uncertainty resulting from the COVID-19 pandemic, privacy is still funded and prioritized.
Enterprises must ensure that skilled talent is retained to manage and support the privacy program. Based on survey responses, it is likely that the demand for privacy professionals will increase. Employees and professionals need to upgrade their skills in the field of compliance and data privacy to meet the growing demand of the market. By welcoming new professionals into the field and providing them with training opportunities, enterprises can also build talented privacy teams to address the numerous privacy-related challenges on the horizon.
About the author: Hafiz Sheikh Adnan Ahmed , CGEIT, CDPSE, GDPR-CDPO, COBIT 5 Assessor, ISO 20000 LA/LI, ISO 22301 LA/LI, ISO 27001 LA/LI, is a GRC, information security and IT strategy professional with more than 15 years of industry experience. He serves as a board member of the ISACA® United Arab Emirates (UAE) Chapter, IAPP KnowledgeNet Chapter Chair, and volunteers at the global level of ISACA as a Topic Leader for the engage online communities, member of the IT Advisory Group and the Chapter Compliance Task Force, ISACA® Journal article reviewer, CGEIT Certification Working Group, and SheLeadsTech Ambassador. He is PECB Certified Trainer and ISACA-APMG Accredited Trainer. He can be reached via email at adnan.gcu@gmail.com and LinkedIn.