New privacy laws and regulations have many companies worried. Most are responding by writing and posting privacy policies on their web sites, and monitoring emerging privacy regulations. Unfortunately, despite their concern, a lack of resources may be creating gaps in privacy and data protection activities that could make many organizations vulnerable to a privacy breach.
These were important findings from the first Benchmark Study of Corporate Privacy Practices conducted by the Ponemon Institute in partnership with the International Association of Privacy Professionals (IAPP), with sponsorship from Unisys. The survey was sent to more than 1,000 IAPP member organizations with a response rate of more than 10 per cent and a sampling rate of more than five per cent.
While only 25 per cent of the companies in the study have undergone a privacy regulatory inquiry in the last three years, 88 per cent responded that privacy compliance is a significant regulatory concern for their company. Further, 52 per cent of those surveyed would like bigger budgets to make sure they can safeguard the personal information of consumers, customers and employees.
Trevor Hughes, executive director of the IAPP, noted that what the findings reveal is that companies understand the importance of being compliant with privacy law, but are unsure about how to actually put their policies into effect.
Best privacy practices
What are the most common privacy practices of leading companies?
Strategize. Sixty-five per cent of companies surveyed have a strategy to help them navigate the turbulent waters of privacy rules and regulations. While a privacy strategy does not guarantee data protection, a well-designed plan can identify and prioritize risks involved in the information collected, used and shared within an organization.
Take stock. Another important practice is to inventory the personal data the company collects, uses, shares and retains. Before controlling data risk, companies need to have a clear understanding of where the data resides, is handled and stored.
Be proactive. There is also evidence that companies in the survey are being proactive in managing personal information. Sixty-four per cent evaluate new software applications for privacy glitches before placing them into production.
Train staff. Finally, a majority of companies are implementing awareness and educational programs to consumers and employees. Seventy-five per cent of these companies have ongoing privacy training programs.
Other most common practices of leading companies include:
– Documenting privacy practices and procedures with separate policies aimed at employees (82 per cent).
– Monitoring emerging state and federal privacy regulations (87 per cent).
– Creating multiple policies for business segments, divisions, units or functions (45 per cent).
– Aligning privacy policies with business conduct or ethics policies (96 per cent).
– Addressing current industry trends and issues as part of the policy development process (73 per cent).
– Requiring business partners to comply with their privacy policies (96 per cent).
– Communicating practices and procedures to customers, consumers (83 per cent).
– Communicating practices and procedures to employees (92 per cent).
While the study reveals many positive practices, it also points to gaps in privacy initiatives that can make a company vulnerable to lawsuits or regulatory action. Here are the major areas companies need to focus on.
– Invest in your redress and enforcement process. These are areas that seem to be getting the least attention by management. The purpose of a privacy redress program is to have established procedures that enable companies to quickly respond to a privacy complaint. Such a program can help organizations reduce the likelihood of a public privacy crisis, and, if necessary, quickly address any problems in their privacy policies and practices.
– According to the findings, 70 per cent of companies do not clearly describe the redress process in their privacy policies or notices, and only 14 per cent have a standardized process for responding to help line calls. This means that even a minor complaint could trigger a public privacy crisis. Further, only 19 per cent of companies have a formal process for determining how to enforce privacy violations and only 20 per cent have specific reporting requirements to management.
– Instead of having a compliance mindset when it comes to privacy and data protection, a proactive approach not only supports adhering to rules and regulations but also ensures alignment with the privacy preferences of a company’s key stakeholders. Findings of the study show that executives support a compliance approach but do not believe privacy can contribute to the company’s brand or marketplace image. Until sufficient value or return on investment (ROI) is demonstrated, privacy programs might continue to be constrained by a lack of resources and commitment.
– In order for privacy management to work in a complex organization, it is necessary to establish accountability and responsibility for accomplishing the objectives of the program. While the study shows that many responding companies have ongoing education programs, very few companies measure and monitor the effectiveness of their program activities.
– Evaluate and monitor the privacy and data protection practices of your key business partners. Data sharing with affiliates and third parties creates additional privacy and data protection risks and responsibilities that have to be managed as an integral part of the privacy management process. The lack of proper vetting or due diligence procedures creates significant risk and possible culpability to organizations that share sensitive information about consumers, customers and employees.
The 2003 Benchmark Study of Corporate Privacy Practices drew most heavily from the financial services (17 per cent). For details, contact www.ponemon.org.