CFOs urged to reassess privacy budgets amid rising data privacy concerns
Data privacy has become a critical concern for organizations worldwide as new regulations continue to emerge, such as India’s Personal Data Protection Bill and Brazil’s General Data Protection Law.
However, according to recent research conducted by ISACA, understanding privacy obligations and achieving compliance with new laws remains a challenge for many organizations.
The ISACA Privacy in Practice 2024 survey report reveals that only 34% of organizations find it easy to understand their privacy obligations. This lack of clarity can lead to non-compliance and increased risk of data breaches. Additionally, only 43% of organizations are very or completely confident in their privacy team’s ability to ensure data privacy and achieve compliance with new privacy laws and regulations.
Budget constraints: A barrier to compliance
Budget plays a significant role in organizations’ ability to establish and maintain effective privacy programs. Unfortunately, the survey indicates that nearly half of the respondents (43%) consider their privacy budget to be underfunded.
Only 36% believe their budget is appropriately funded. Looking ahead, the situation appears bleak, as 51% of organizations expect a decrease in their privacy budget, while only 24% anticipate an increase.
The combination of budget constraints and the dynamic nature of data privacy regulations makes it challenging for organizations to allocate resources effectively and keep up with evolving requirements.
Skills gaps: The need for competent resources
Another significant challenge organizations face is the lack of competent resources in their privacy teams. The survey reveals that 53% of organizations consider their technical privacy teams to be understaffed. Furthermore, respondents highlight skills gaps among privacy professionals, particularly in the areas of technology experience (63%), technical expertise (50%), and IT operations knowledge (42%).
To bridge these gaps, organizations must invest in training and development programs to enhance the skills and competencies of their privacy professionals.
Privacy failures
The survey respondents identified several common privacy failures that organizations encounter.
These include the lack of or poor training (49%), failure to practice privacy by design (44%), and data breaches (42%). These failures not only pose significant risks to data privacy but also hinder organizations’ ability to achieve compliance and maintain customer trust.
Mitigating challenges
To address the challenges outlined in the survey, organizations are taking proactive steps to strengthen their privacy programs. Training plays a crucial role in mitigating workforce gaps and privacy failures. Half of the respondents (50%) note that they are training non-privacy staff to move into privacy roles, while 39% are increasing the usage of contract employees or outside consultants.
Organizations are also investing in privacy awareness training for employees. According to the survey, 86% of organizations provide privacy awareness training, with 66% offering training to all employees annually. Moreover, 52% of respondents provide privacy awareness training to new hires. While the number of employees completing training is the main metric used to track effectiveness (65%), organizations should also consider measuring the decrease in privacy incidents (56%) to assess the impact of privacy training.
Privacy by design
The survey results highlight the value of privacy by design in organizations’ privacy programs. Organizations that prioritize privacy by design experience several advantages. They have more employees in privacy roles, with a median staff size of 15 compared to nine among all respondents. Additionally, 42% of these organizations believe their technical privacy department is appropriately staffed, compared to 34% among all respondents.
Furthermore, organizations that practice privacy by design strongly believe that their board of directors prioritizes organizational privacy (77% vs. 57% among all respondents). They view privacy programs as a combination of compliance, ethics, and competitive advantage (39% vs. 29% among all respondents). These organizations also have a higher likelihood of aligning their privacy strategy with organizational objectives (90% vs. 74% among all respondents).
Ultimately, organizations that consistently practice privacy by design demonstrate higher confidence (71% vs. 43% among all respondents) in their privacy team’s ability to ensure data privacy and achieve compliance with new privacy laws and regulations.
Assessing privacy programs
To assess the effectiveness of privacy programs, organizations employ various approaches. The survey identifies the following as the most common methods:
-
Performing a privacy risk assessment (49%)
-
Performing a privacy impact assessment (PIA) (44%)
-
Performing a privacy self-assessment (38%)
-
Undergoing a privacy audit/assessment (34%)
By implementing these assessment methods, organizations can identify gaps, prioritize areas for improvement, and ensure ongoing compliance with privacy regulations.
Why this is a priority?
The ISACA Privacy in Practice 2024 survey report highlights the challenges organizations face in understanding privacy obligations, allocating sufficient budget, and bridging skills gaps. However, organizations can take action to strengthen their privacy programs by investing in training, practicing privacy by design, and employing effective assessment approaches.
By prioritizing data privacy, organizations can protect sensitive information, maintain compliance with evolving regulations, and build trust with their customers. It is crucial for organizations to address the challenges identified in the survey and proactively adapt to the changing privacy landscape to ensure long-term success.
For more information and in-depth insights, you can access the full Privacy in Practice 2024 survey report on the ISACA website.
The ISACA Privacy in Practice 2024 survey report provides valuable insights into the current state of data privacy in organizations globally. The survey involved over 1,300 professionals working in data privacy roles and focused on various aspects, including staffing, organization structure, policies, budgets, and training.
Was this article helpful?
YesNo
