Time to Turn Around Privacy Programs
Privacy audits may help organizations protect personal information and comply with legal requirements.
October 01, 2013
For most organizations, privacy activities are getting worse, not better, a new Gartner study reports. Forty-three percent of the 221 organizations surveyed in Canada, Germany, the United Kingdom, and the United States have implemented a comprehensive privacy management program, while 7 percent are “doing the bare minimum” to comply with privacy laws.
“It is surprising that so many companies are saying they are not conducting privacy impact assessments before major projects,” says Carsten Casper, research vice president for the Stamford, Conn.-based IT advisory firm. He notes that more than one-third of respondent organizations take an ad hoc approach to privacy, and 62 percent do not conduct organizationwide privacy audits annually.
The price of privacy failures can be steep, as some of the world’s biggest Internet firms have found out the hard way. Starting this year, Facebook, Google, and MySpace must submit to independent privacy audits for the next 20 years as part of a settlement with the U.S. Federal Trade Commission (FTC) over alleged user privacy violations. These companies must report to the FTC biennially on whether their privacy programs meet or fail to meet the commission’s expectations — each violation carries potential fines of US $16,000 per day.
Privacy disclosures can be beneficial, as well, a recent study of U.S.-listed companies by University of Auckland (N.Z.) professors Penica Cortez and David Hay notes. Researchers found that companies that disclosed privacy risks in their audited financial statements between 2005 and 2011 were less likely to suffer an inadvertent breach of privacy information. At the same time, organizations that had experienced privacy breaches (54 percent), such as exposure of credit card information, were more likely to disclose privacy risks in the future than organizations that did not have a breach (32 percent).
Convincing organizations of such benefits may be a tough sell. Gartner finds that many organizations’ past privacy investments haven’t paid off, which may have led their programs to become less mature since 2011. To get back on track, Casper says many organizations are adding staff and budgets to launch comprehensive privacy programs encompassing cloud computing, mobile, big data, and social media. Moreover, two-thirds of respondent organizations in the Gartner survey have a dedicated privacy officer, and 32 percent have added privacy staff members in the past year. “Privacy programs are only successful if someone is driving them,” Casper asserts.
The Benefits of Privacy Controls
According to the IIA practice guide, Auditing Privacy, good privacy controls benefit an organization by:
- Protecting its public image and brand.
- Protecting valuable data on customers, employees, and business partners.
- Achieving a competitive advantage.
- Complying with privacy laws and regulations.
- Enhancing the organization’s credibility.
Another success factor is making privacy programs a top priority — with a primary focus on the handling of personal information of customers, employees, and the public, Gartner observes. Failure to protect such information carries risks such as reputational damage, financial loss, legal liability or regulatory sanctions, and damaged business relationships, according to an IIA practice guide, Auditing Privacy Risks (PDF).
The practice guide notes that privacy audits can help mitigate such risks by facilitating compliance with privacy laws and regulations, assessing and improving compliance with the organization’s data protection system, identifying inconsistencies between privacy policies and practices, providing assurance over reputational risks, and improving procedures for responding to privacy complaints. A big part of internal audit’s work will include assessing the privacy framework adopted by their organization and its data inventory and classification program, as well as its legal and organizational, infrastructure, application, and business process risks. Moreover, the practice guide advises internal audit to consider possible privacy breaches, staff management, record retention, and privacy assessments performed by outside providers.
The University of Auckland study suggests that privacy audits and disclosure of privacy risks can have a positive impact on an organization’s readiness to prevent privacy breaches. As such, they may go a long way toward enhancing the maturity of organizations’ privacy programs.