Rising cyberattacks amidst the COVID-19 pandemic may have galvanized organizations’ resolve to toughen their stance on data privacy and protection. As such, 83% of organizations in 2021 have dedicated Privacy Offices, up from 67% in 2020. At the same time, an increasing number of companies are spending $1 million or more on privacy.
Organizations are paying more attention to privacy and protection of organizational data, systems, and networks, and are thus taking more initiatives in 2021, a report by privacy compliance company TrustArc revealed. The company’s second edition of the 2021 TrustArc Global Privacy Benchmarks Report also revealed that this shift stems from the events of the year past (including the outbreak of the Wuhan virus among other things), not despite it.
On the Data Privacy Day earlier this year, Brad BrooksOpens a new window , president and CEO at IAM provider OneLogin told Toolbox, â€œ2020 was a challenging year for data privacy due to COVID-19 and the huge shift to work from home. A recent OneLogin survey of 2000 U.S. and U.K. workers showed 48% of U.S. respondents reporting breaches since working remotely. These findings indicate that a large portion of companies, particularly in the U.S., were woefully underprepared for the onset of remote working.â€
Consequently, TrustArc noticed an improvement in privacy competence and confidence this year, but there is still a long way to go, some 73% of respondents believe. And for the majority of respondents, which include employees at large U.S.-based enterprises (revenue > $500 million), getting agreement on privacy as a priority is no longer the issue, nor is getting started on compliance; getting the job done expeditiously and comprehensively is the new goal post.
â€œRegulatory changes are being introduced at record pace and, based on the results of the Privacy Benchmarks Survey, organizations are clearly moving fast to prioritize privacy management,â€ saidOpens a new window Chris BabelOpens a new window , CEO of TrustArc. â€œWe’re seeing more formal process implementation specific to privacy, which further supports how privacy prioritization is shifting, and companies are increasingly adopting purpose-built software to address ongoing needs that, without software, would present immense challenges.â€
Evolving Data Privacy Regulations
Ever since the European Union introduced GDPR, a framework of stringent regulations pertaining to data protection and privacy, governments across the globe followed suit with their own regulatory provisions.
California’s CCPA (now CPRA), for example, was amended in November 2020 to include multiple new definitions of what constitutes sensitive personal information, gives teeth to data owners over its use by companies, and delineates the difference between â€˜sharing’ and â€˜selling’ data.
Proposals for more than 20 new laws for COVID-19 regulatory requirements were introduced in 2020 due to the adjustments in living and work conditions amid the pandemic. New data privacy reforms were proposed in the U.S. in Connecticut, New York, Texas, Oklahoma, Florida, and Virginia. Brazil introduced LGPDOpens a new window while Canada rolled out CPPAOpens a new window . New Zealand also sharpened the focus on data privacy with the New Zealand Privacy Act 2020Opens a new window that came into force in December 2020.
Key Insights from the 2021 TrustArc Global Privacy Benchmarks Report
Perhaps the most evident aspect of an increased focus on privacy is the fact that the number of enterprises that created formal Privacy Offices in 2021 grew by 16%, from 67% in 2020 to 83% in 2021.
Opens a new window
Dedicated Privacy Offices | Source: TrustArc
Security vs. Privacy
2020 saw the shift of business processes, right down to the people executing them. It exposed the gaps in the security fabric of organizations leading to cyberattacks. For instance, ransomware attacks in 2020 surged 150%Opens a new window , wherein organizations with limited focus on IT infra such as healthcare became prime targets.
The trend continued into 2021 with targets including critical infrastructure such as the largest pipeline operator in the United States, Colonial Pipeline; Taiwan-based vendor of Apple products (and by extension Apple itself); the seventh-largest commercial insurer in the U.S., CNA Financial; world’s sixth-largest computer vendor Acer, and the world’s largest processor of meat products, JBS Foods.
And then there’s the unprecedented scale of the SolarWinds hack, which impacted thousands of organizations including almost a dozen federal agencies and shook the cybersecurity industry as well as governments across the globe.
Cybersecurity surely differs from privacy but both are intertwined. For example, ransomware gangs have been exfiltrating data since the past year besides encrypting it. So if an organization under a ransomware attack restores data and refuses to pay the ransom, its stolen data may still be leaked, which affects the privacy of not just the organization, but all its stakeholders.
Opens a new window
However, the approach to security and privacy, intertwined though they may be, should be based on distinct goals. To illustrate this, let us consider the SolarWinds incident. The SolarWinds hack was a software supply chain cyberattack meticulously planned months in advance, that ultimately compromised the privacy of thousands.
It can be argued that the attack (and thereby compromise of privacy) could have been avoided with better cybersecurity measures. This is where the role of security ends. Privacy on the other hand involves not just protection of the data, but also adherence to regulations, maintenance of confidentiality, and immutability. Non-compliance of data regulations, TrustArc found, results in a 2.71x increase versus the cost of compliance.
Privacy Management Tools
For greater privacy compliance, TrustArc found that organizations are becoming increasingly reliant on purpose-built software and have dedicated privacy teams. Adoption of purpose-built software for privacy management grew by 7%. The use of Government, Risk, and Compliance Opens a new window (GRC) software also increased by 3% although privacy competence and confidence of executives remained higher when using purpose-built ones.
Opens a new window
Types of Privacy Management Tools in Use by Organizations
Dr. Gary EdwardsOpens a new window , co-founder and president of Golfdale ConsultingOpens a new window , said, â€œWhile there’s evidence that stand-alone solutions can be effective in managing specific compliance requirements such as cookie consent, our data indicates that companies that have implemented a comprehensive strategic and reportable privacy management platform score significantly higher on the Global Privacy Index.â€
The use of spreadsheets, email, and/or word processing applications declined, but not as much as they should have. At the same time, there still are organizations (6%) that do not use any privacy management tools, even after declining by 3%.
Maybe this is why 73% of respondents agree or strongly agree that their companies can do more. Moreover, the number of organizations willing or intending to spend $1 million or more on privacy increased by 20% (28% in 2020 vs 48% in 2021).
Additionally, privacy is a top to bottom endeavor, right from the board of directors to employees engaged in front-line activities, with repercussions across all business functions. Dr. Edwards addsOpens a new window , â€œMaintaining a privacy culture that permeates from the Board of Directors through the ranks, as well as incorporating privacy into core business strategy, were other distinguishing features of these privacy leaders.â€
TrustArc’s 7 Keys for Privacy Competency
- Making sure privacy permeates day-to-day business decisions with greater importance
- Having the Board of Directors regularly review and discuss privacy matters
- Pursuing privacy as a core part of business strategy
- Embracing privacy practices as a key differentiator
- Being mindful of privacy as a business
- Ensuring every employee can formally raise a privacy issue with confidence that there will be no reprisal
- Sufficiently training employees in privacy matters
It seems organizations are mindful of the due diligence associated with maintaining the privacy of organizational data and are steadily inching toward compliance in an ever-evolving era of regulations. Privacy management tools matter, and so do the people using them but that can prove to be inconsequential unless the entire organization is actively involved in protecting privacy.
Basically, privacy is a sustained process that continuously needs to be upgraded.
Note: Commissioned by TrustArc, the study for the 2021 TrustArc Global Privacy Benchmarks Report was conducted by Golfdale Consulting. The 1,630 respondents from the report include executives, managers, full-time (non-managerial) employees, privacy team leaders, and privacy team members, 96% of which work in large enterprises engaged in technology, financial services, manufacturing, retail, and health care across all major regions globally.