As the world becomes increasingly digital and laws like HIPAA, GDPR and CCPA transform how data is regulated, organizations must make data privacy and security a priority if they want to meet consumer and legal demands. The need for a data protection program is becoming an organizational imperative across industries – from healthcare to banking, technology, and even insurance – as they acknowledge that customer data is core to business functions and must be protected. But reaching a mature stage of privacy isn’t always a straightforward path for organizations that wish to be privacy conscious.
To help identify the benefits, attributes, and habits of mature data privacy and protection programs, the International Association of Privacy Professionals (IAPP) and FairWarning conducted a study of 550 organizations’ privacy efforts. The survey revealed that half of organizations experienced at least one data breach in the last three years. Additionally, more than two-thirds documented a privacy incident. While one incident is enough to be significant, 24% of respondents reported over 30 privacy incidents in the past three years.
Although the survey shows data privacy and protection programs are still maturing, it also concluded that the greater the maturity level of a privacy program, the more value it provides. To improve your data protection program, the attributes outlined in the study offer a pathway to continue maturing and optimizing your organization’s privacy program.
What’s driving the need for data privacy?
Global, regional, industry, and local data privacy laws are continuing to evolve. Beginning with the EU’s GDPR in 2018, additional privacy protections like the California Consumer Privacy Act and Brazil’s General Data Protection Law demonstrate that data privacy is no longer just an issue for the legal department.
Another factor impacting the need for data privacy programs is the cost of data breaches. The fallout of a data breach can be significant – fines, lawsuits, loss of revenue, loss of hard-earned trust, and more. According to IBM Security and Ponemon Institute’s Cost of a Data Breach Report 2020, the global average cost of a data breach is $3.86 million.
Due to the increasing consequences and global movement towards privacy regulation, many organizations consider data privacy a strategic, organizational priority. Regardless of size, industry, or business model, companies are now proving they understand their customer’s data privacy is essential to their business by forming data protection programs.
Assessing data protection program maturity
The survey asked respondents to rate their data protection program on a five-point scale:
- Ad hoc: Privacy processes and procedures are informal, incomplete, or inconsistently used.
- Repeatable: Privacy processes and procedures exist but are not fully documented or are incomplete.
- Defined: Privacy processes and procedures are fully documented, complete, and implemented.
- Managed: Privacy processes are fully implemented and privacy controls are occasionally reviewed to assess effectiveness.
- Optimized: Privacy processes are fully implemented and privacy controls are regularly reviewed to ensure continual improvement.
The study considers “optimized” and “managed” to be advanced stages of maturity, while “ad hoc” and “repeatable” are early stages.
Across the organizations surveyed, only 7% reported that their programs were “optimized,” followed by 21% saying their efforts are at the “managed” stage. Most respondents fell within the “repeatable” (36%) and “defined” (28%) categories, demonstrating progress towards privacy excellence, although there’s still work to be done.
The healthcare, software and services, and organizations with 25,000 or more employees were the leaders in having the most mature privacy programs. This may be attributed to laws with extensive privacy requirements like HIPAA regulating those industries, especially healthcare.
Organizational benefits of mature data privacy programs
The benefits derived from privacy programs were consistent across maturity levels, yet advanced maturity privacy programs reported greater levels in each category. The biggest gap between highly mature programs and less mature programs was GDPR compliance – a 52% difference in confidence levels.
In addition to greater confidence in the ability to comply with privacy and data protection regulations, according to the surveyed organizations, the benefits of having a data privacy program include:
- Increased employee privacy awareness
- Greater consumer trust
- Reduced privacy complaints
- Quality and Innovation
- Competitive advantage
- Operational efficiency
- Mitigating data breaches
While the top benefits of a privacy program were consistent across maturity levels, advanced maturity respondents saw even greater benefits across the board. For highly mature programs, increased privacy awareness by employees and mitigating data breaches nearly tied for the top benefit at 87.6% and 86.3%, respectively, compared to 75.2% and 62.8% in the early stages of maturity.
73.3% of highly mature programs experienced fewer privacy complaints – which leads to reduced workload – compared to only 43% of less mature programs. Greater consumer trust was experienced by 57.8% of programs in the advanced stage of maturity and 35.5% of early-stage programs.
Another insight gained from this survey is that more mature programs have clear attributes. These organizations manage programs through distinct teams, have more representation in the C-Suite, manage a discrete budget, and use automated tools to proactively monitor data.
Of those organizations with mature programs, 61% reported having a dedicated privacy team vs. only 43% of respondents with programs in earlier stages. The average team size for a mature program was three employees dedicated to privacy, whereas less mature teams had only one or two members.
"Fundamentally, dedicating resources to a privacy program yields greater awareness of privacy-related issues internally, leading to better outcomes externally."
More mature programs were more likely to have a Chief Privacy Officer, Chief Information Security Officer, or Chief Compliance Officer. Having a dedicated professional in the C-Suite also helps explain why some more mature programs have their own discrete budget instead of drawing funding from another department such as IT, security, or compliance.
While the results demonstrate that privacy and data protection programs are still maturing and the more mature the program, the greater the benefit, it’s also true that organizations have a lot to gain from having any form of program, regardless of maturity level. By dedicating organizational resources to a privacy program, you can expect greater awareness of privacy-related issues internally and better outcomes externally.
For more information about the benefits, attributes, and habits of mature privacy and data protection programs, read the full study here.