News Stay informed about the latest enterprise technology news and product updates.

Survey shows privacy policy success lies in collaboration with IT

A new study of privacy professionals shows the importance of collaboration with IT and the need to measure the success of a privacy policy more effectively.

A new study of privacy professionals shows the importance of collaboration and the need to measure success more effectively. The results of "Benchmarking Privacy" show that after unprecedented growth in the privacy profession, the global macroeconomic conditions have affected the industry -- most privacy leaders reported that they anticipated no change in head count this year.

The study is the result of a global survey of 166 privacy professional conducted by the International Association of Privacy Professionals (IAPP) and the Ponemon Institute. When privacy leaders were asked about the importance of collabo¬ration or cooperation with other functions, they said the success of their efforts rests on colleagues in other departments. Respondents said collaboration with information security (100%), corporate IT (98%), legal (98%), regulatory compliance (93%), and human resources (83%) was either "very important or important to the success of the organization's privacy mission."

Survey results also showed that crafting a privacy policy is a high-level function in most organizations, with 61% of leaders at only one or two reporting levels from the CEO. Fifty-six percent of those responding indicated that privacy rested in the compliance department. That's not surprising, considering that most privacy programs focus on data protection of items including employee records (95%), customer or consumer records (91%) and business customer information (84%).

Key findings from the survey

Key finding No. 1: "Budgets vary disproportionately according to the size of the organization. More than 70% of companies with over $10 billion in revenue reported privacy budgets between $500,000 and $2.5 million."

Key finding No. 2: "The scope and function of privacy initiatives change as the program matures. Immature privacy programs tend to have a narrow focus on a particular law, issue or data type. As the program matures, its focus broadens to other related domains, including the strategic use of information assets."

Key finding No. 3: "Privacy professionals recognize the need for collaboration across the enterprise in order to achieve privacy and data protection objectives."

Key finding No. 4: "A majority of organizations attempt to measure their privacy program's success or failure in meeting objectives."

Key finding No. 5: "A majority of participating privacy offices have someone on the staff with a CIPP, CIPP/G or CIPP/C designation."

Source: "Benchmarking Privacy," International Association of Privacy Professionals and the Ponemon Institute, September 2009

"The most common tool used by our respondents is privacy liaisons," said J. Trevor Hughes, executive director of the IAPP. "A liason in this context is someone who has responsibility for privacy in their job description but does not have a direction relationship to the top privacy professional." Privacy liaisons often provide training and support for specific business purposes.

Measuring the success of a privacy policy

According to the results in the privacy survey, 55% of respondents said their organizations had "measures in place to evaluate the privacy program's performance (success or failure) in meeting its mission or objectives." The two techniques used most often by privacy professionals are self-assessments and audits. "These tools that people use to measure are standard," said Hughes. "Auditing is high on the list and gives people a clear picture of what's happening. More formal assessments and benchmarking against other companies are also being used.

"We are increasingly seeing metrics and measurements emerge in the privacy profession," he added. "The top things they are trying to measure include compliance with policies and measure performance against that. Measuring awareness is easier -- have employees responded to a questionnaire or attended training. Those are all fairly straightforward. I think over time we'll see more sophisticated measures -- some things are more difficult to know, like whether a consumer is satisfied with a privacy policy."

Conversely, that means that 45% do not use metrics to measure the effectiveness of a privacy policy, which may concern CIOs looking for effective dashboards that monitor the success of compliance programs. "These numbers reflect the reality within the privacy professional community and in the marketplace as a whole," said Hughes. "Even if 45% of our members are actively measuring, the reality in the marketplace is even less than that."

Ninety percent of respondents use training and employee awareness to measure organizational compliance with policies; 74% use reductions in the incidence of data breaches.

Let us know what you think about the story; email Follow @ITCompliance for compliance news throughout the week.

Dig Deeper on Industry-specific requirements for compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.