Customer data is a core component of any company’s business, and more organizations are investing time and resources into protecting the privacy of such information. Even so, companies are experiencing a rising number of privacy breaches. In fact, a new study found that two-thirds of organizations have documented a privacy incident in the past three years.
FairWarning and the International Association of Privacy Professionals (IAPP) surveyed individuals representing more than 550 privacy programs and found that even with new privacy regulations enacted and increasing instances of data breaches, data protection and privacy program maturity is still a work in progress across all industries.
This post provides key takeaways from Benefits, Attributes and Habits of Mature Privacy and Data Protection Programs to help advance your organization’s privacy efforts.
Healthcare organizations as privacy leaders
Certain industries are faring better than others when it comes to privacy and data protection program maturity. To be considered “mature,” an organization’s privacy program should have complete, fully documented and implemented privacy procedures and processes. The program should also be reviewed to assess the effectiveness on a regular basis to ensure continual improvement. In contrast, less mature programs typically have informal, incomplete, or inconsistently used processes and procedures.
The study found that healthcare organizations ranked highest for program maturity levels, with 15% of organizations in the industry reporting their program is in the “advanced stages” of maturity. The software and services industry followed closely with 14.3% of organizations indicating advanced stages of maturity. In addition to representing the largest share of advanced stages, healthcare dominated the middle maturity stage with a 16% share (banking and software and services tied at 9% each).
Companies within the government, consulting services, and education/academia industries ranked at the bottom; in each industry, less than 7% of organizations’ privacy programs were in the advanced stage of maturity. Companies in the insurance and banking industries were slightly more mature, with 8.1% and 7.5% of those organizations having privacy programs in the advanced stage of maturity, respectively.
Benefits and attributes of data privacy and protection program maturity
In comparing replies of those whose programs are in the advanced stages of maturity with those in the early stages, more advanced maturity programs experience greater gains in multiple areas, including:
- Reducing privacy complaints (30.3% higher than early-stage respondents)
- Boosting operational efficiencies (23.7% higher than early-stage respondents)
- Mitigating data breaches (23.5% higher than early-stage respondents)
- Fostering consumer trust (22.3% higher than early-stage respondents)
Mature privacy programs foster compliance
Beyond reducing complaints and increasing efficiencies, companies with more mature privacy programs also reported having greater confidence in their ability to comply with privacy and data protection regulations. Organizations with advanced privacy and data protection programs showed greater confidence in complying with the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the U.S. Health Insurance Portability and Accountability Act (HIPAA). Compliance with the GDPR uncovered the most significant gap between those in the advanced stages of program development and those in the early stages — a 52% difference in confidence levels.
Data privacy excellence requires a multi-faceted approach
Organizations with privacy programs in the advanced stages of maturity reported having more functions in place than organizations with early-stage privacy programs. In fact, the majority of companies in the advanced maturity stage said their company has an incident response plan outlined and has data protection policies and procedures that are reviewed and updated regularly (95% and 96.9%, respectively). In contrast to this, fewer than 80% of companies in the early stages of maturity indicated having a response plan or continuously updating policies and procedures (79.3% and 74.8%, respectively).
Commonalities across all maturity levels
The study found that, regardless of program maturity level, there are commonalities shared between the groups. For example, more than 50% of all respondents — in all groups — said they have a separate privacy training module, while respondents across all groups also reported they interact most often with the legal, information security, compliance, and IT teams.
Additionally, respondents across all stages and maturity levels noted that “increased employee privacy awareness” was the number one element of their privacy and data protection program that has had the most positive impact on their organization.
The Benefits, Attributes and Habits of Mature Privacy and Data Protection Programs report shows that although privacy and data protection programs across all industries are still maturing, organizations recognize the value of data privacy. And in today’s world, where data holds immense value, they also realize the intrinsic responsibility they have to create a robust data protection program, continuously update it, and educate employees on the importance of privacy and data protection.