Organisations are today relying more than ever on confidential data such as customer information, business plans and financials to run their businesses.
As the amount of data grows exponentially, some leading organisations -- especially in Europe and North America -- have made significant strides in securing this sensitive data, but many others are lagging in their data protection efforts.
Technology innovations such as cloud computing, the consumerisation of IT and the proliferation of mobile devices, coupled with new business models and increasingly sophisticated global business processes, have outpaced not only regulations but also many organisations’ own ability to effectively secure sensitive business information.
The resulting shortcomings, in critical areas ranging from employee training to technology infrastructure, have made organisations in both the private and public sectors extremely vulnerable to security breaches and the misuse of sensitive data, even as awareness of data privacy and protection issues has increased.
There’s more at stake than regulatory fines; as several high-profile data breaches over the past few years have shown, credibility and customer trust can also take a significant hit. It is estimated that 3.6 percent of a company’s customers will end a business relationship over such a lapse. Research has also shown that a company’s stock price typically drops by approximately five percent after a breach becomes public.
A Global Study
To further examine this issue, Accenture recently conducted a global study which underscores the importance of taking a comprehensive approach to data privacy and protection in order to close the gap between business strategy, risk management, compliance reporting and IT security.
Conducted with the Ponemon Institute, an independent privacy, protection and information security research firm, the study surveyed more than 5,500 business and technology leaders and more than 15,000 adult consumers from 19 countries. The study revealed a difference between organisations intentions regarding data privacy and how they actually protect sensitive information. For instance, 73 percent said they have adequate policies in place to protect sensitive, personal information, yet 58 percent still lost sensitive data within the past two years.
Although 70 percent of the respondents agreed that organisations have an obligation to take reasonable steps to secure consumers’ personal information, the study also showed several inconsistencies. For example, 45 percent of business respondents were unsure about or actively disagreed with granting customers the right to control the type of information that is collected about them. Nearly half did not believe it was important to limit the collection and sharing of sensitive personal customer information, protect consumer privacy rights, or prevent cross-border transfers of personal information to countries with inadequate privacy laws.
A ‘Culture of Caring’
Thirty one percent of the companies said that they had not experienced a data breach. Those companies tended to place a greater value on the protection of sensitive data and how such data is used. They were more likely to know where personal information on customers and employees resides within the organisation and feel an obligation to control who has access to personal data. In other words, they have developed a “culture of caring” in regards to data privacy and protection.
This culture of caring is not just good for complying with regulatory laws, but can also help engage consumers while increasing the organisation’s reputation and brand in the marketplace.
There are six steps organisations can take to foster this culture and take a proactive stance to data privacy and protection:
- Assign ownership and accountability for data protection and privacy. Organisations should bring together the people or functions responsible for specific aspects of protection and privacy – e.g. technology, policies, procedures, regulations and law – to ensure these issues are approached in a comprehensive and coordinated way. Consider establishing a data protection and privacy council, with stakeholders from across the business, to oversee how sensitive data is managed and used.
- Develop a more effective and comprehensive governance program for data privacy and protection. This can help an organisation delineate how data is collected, stored, managed and used, and determine who is allowed access to what data.
- Evaluate current technologies to confirm that the necessary level of protection of sensitive data is being provided. As computer incident-response technologies rarely generate adequate insights from prior breaches, companies need to be constantly re-evaluating their technology to determine if it needs to be enhanced or replaced. Since technology alone does not prevent information loss, it must be viewed in the context of how it works within a data governance framework and standards.
- Build a consistent level of awareness of the importance of data protection and privacy among the workforce. Employees need to have a consistent and common understanding of the enterprise’s established data protection and privacy policies and procedures, and specific guidance on how to follow them.
- Re-examine data protection and privacy investments. An organisation needs to have a balanced investment in data protection and privacy in terms of people, process and technology.
- Choose business partners with care. Organisations must rigorously assess the knowledge, practices and experiences of any companies they partner with in managing sensitive data across organisational and national boundaries. When it comes down to it, a business is only as good as the company it keeps.
Just as organisations have innovated new business models and technology to gain or maintain competitive edge, they must be equally aggressive in innovating around the data security issues that these advancements introduce. Data protection and privacy must become a core part of its business value proposition, fostering a true culture of caring throughout the organisation.
Alastair MacWillson, global managing director, Accenture Security practice