Unsurprisingly, companies are not protecting personal information

According to a global survey of privacy and risk professionals, more than half of the 780 respondents say consumers should not feel confident that companies are adequately protecting their information.

The study, conducted by ISACA, also found that only 29 percent of the respondents are very confident in their enterprise’s ability to ensure the privacy of its sensitive data. In fact, nearly one in five said they have experienced a material privacy breach.

The seven key components of an effective privacy program according to ISACA are:

• Appropriate staffing
• Positioning of privacy function at a high level in the organization chart
• Privacy-protection culture
• Privacy awareness training
• Globally accepted frameworks/standards
• Metrics and monitoring program effectiveness
• Compliance with data-protection legal requirements.

Respondents cite complex international legal and regulatory landscape and lack of clarity on roles and responsibilities as the two main barriers to establishing a successful privacy program. The most commonly reported privacy failures are:

• Lack of training or poor training
• Data breach/leakage
• Not performing a risk assessment.

However, the survey also identified some bright spots. More than 9 in 10 organizations have assigned someone to be accountable for privacy, and the primary positions given this responsibility are CISOs and chief privacy officers (CPOs) who report directly to the CEO. Additionally, the majority (76 percent) of organizations provide privacy awareness training to staff.

“Organizations with effective privacy programs understand that these programs begin with a system of governance and management, and are supported by a team with defined privacy responsibilities,” said Yves Le Roux, chair of ISACA’s Privacy Working Group, principal consultant of CA Technologies.