Major privacy breaches of customer data records are becoming common news headlines, shattering the trust of customers who expected the affected enterprises to protect their personal information. Almost 75 percent of the respondents to ISACA’s 2015 Privacy Survey indicate that their enterprises’ use of privacy policies, procedures, standards and other management approaches is mandatory, while 19 percent indicate that their use is “recommended.” This finding is a reflection of good practice because written policies and procedures should be at the heart of every enterprise, regardless of size.
However, less than one-third of the surveyed privacy professionals are very confident in their enterprise’s ability to ensure the privacy of its sensitive data. This is confirmed by the fact that more than half of surveyed privacy professionals believe that consumers should not be confident that enterprises are protecting their personal information.
Slightly more than 90 percent of the respondents to the survey report that the privacy function has a significant or moderate level of interaction with information security. This may explain why the CISO/CSO is a consistent selection as the role with primary accountability for privacy across all enterprise sizes. Unfortunately, nearly 8 percent report that no one is assigned to privacy accountability.
More than half of the respondents identify a lack of training or poor training as the most common type of privacy-related failure. This put an emphasis on the fact that privacy governance/management depends on regular, consistent monitoring of the program effectiveness, coupled with a commitment to making changes when weaknesses are spotted.
Any enterprise program as complex as privacy—requiring the coordinated efforts of many departments and individuals—requires a formal system of governance and management. Having the appropriate leadership and staff structures is an integral part of privacy governance and management. Increased (and increasingly diverse) regulation adds to the complexity, making an effective system of governance and management that involves frameworks, standards, policies and metrics a requirement. Operating in multiple jurisdictions adds a layer of complexity to privacy programs because it requires knowledge of and compliance with a wide variety of differing global regulations.
All of this is why ISACA is developing privacy principles for enterprises to use to develop a privacy program that is adaptable, flexible and applicable to the global population, with plans to publish the principles in the near future. These principles will use the COBITframework to provide structure and an implementation road map to guide practitioners through privacy management activities.
Yves Le Roux, CISM, CISSP
Chair, ISACA’s Privacy Task Force
[ISACA Now Blog]