Companies must refocus privacy efforts says Gartner report
According to a survey by research company Gartner only 43 percent of organizations have a comprehensive privacy program in place whilst seven percent admit to only doing the bare minimum to address privacy laws. The results are based on 221 organizations surveyed in April and May 2013 in the US, Canada, UK and Germany.
"More than a third of organizations still 'consider privacy aspects in an ad hoc fashion' and it is surprising that so many companies are saying that they are not conducting privacy impact assessments before major projects. Sixty-two percent do not scan websites and applications, or conduct an organization-wide privacy audit every year. Organizations must put these activities on their to-do list for 2014," says Carsten Casper, research vice president at Gartner.
"Organizations continue to invest more in privacy due to ongoing public attention and a number of new or anticipated legal requirements," Casper continued, adding that many organizations are looking to boost their privacy activities through increased staffing and budgets to initiate comprehensive privacy programs to deal with cloud, mobile, big data and social computing challenges.
"Gartner's consistent observation is that privacy programs are only successful if someone is driving them. Almost 90 percent of organizations now have at least one person responsible for privacy. However, having privacy programs that are owned by this individual is still not the norm," says Casper. Privacy officers should have broad expertise and solid relationship management and communication skills, because they need to monitor a variety of, sometimes conflicting, business and IT requirements and collaborate with internal and external business functions.
The handling of personal information for employees, customers and citizens tops the list of requirements respondents believe should be included in a privacy program. Some organizations -- concerned about violating domestic privacy laws and the risk to their reputations -- do not store personal data in locations where it might be seized by foreign authorities or be at greater risk from cyber attacks. However, central global storage of personal data is becoming increasingly widespread. For the first time this year, more organizations stored their customer data in a central global place rather than in a regional or local data center.
The survey finds that 38 percent of organizations transform personal data before transmitting it abroad (using masking, encryption or similar), thus keeping sensitive data local, while allowing some functionality abroad. This is the preferred option compared to domestic storage (29 percent), remote storage with only local access (27 percent) and with a focus on legal protection (22 percent).
"When storing and accessing personal data, organizations face a number of options. They can store data locally or in a low-cost country, allow access to domestic or remote staff, use a provider for application management or for infrastructure management, or implement legal and technical controls, such as data masking, tokenization and encryption," says Casper. "There is no right or wrong answer. Organizations have to decide which type of risk they want to mitigate, how much money they want to spend and how much residual risk they are willing to accept".
Privacy issues will be discussed in more detail at the Gartner Symposium/ITxpo in Barcelona in November 2013.