Most of the media’s fascination with what has become an increaingly pertinent topic for all of us, that of companies leaking private data, centers on the work of malicious hackers.
This includes a wide range of firms; anything from Home Depot to Carphone Warehouse to, of course, Ashley Madison (this fantastic data visualization has details about the major leaks of the past decade). But while it’s the malice that gets the headlines, the majority of privacy failures are generally down to employees just not knowing how to look after corporate information, according to CEB analysis. This is either because the right policies and processes aren’t in place or because of insufficient training.
Enter the Chief Privacy Officer
In response to what is fast becoming a firm’s most important area of risk management (see chart 1), and one that will benefit from better internal management, a lot of firms have employed a chief privacy officer (CPO) to manage the coordination across the vast number of teams, projects, functions, business units, and offices that’s needed to keep sensitive company data private.
Chart 1: Perceptions of privacy and technology risks among senior managers Source: PwC 2014 Annual Corporate Directors Survey; PwC 2015 Annual Global CEO Survey; CEB 2015 Legal Department Priorities; CEB 2014 State of the Compliance Function Survey; CEB 2015 Audit Plan Hot Spots; CEB Q1 2015 Emerging Risks Report and Monitor
But while the idea of a CPO is becoming more popular, it hasn’t yet become a staple role. CEB data show that just under 40% of firms have a CPO, while the rest ask someone within either the legal or compliance team to take on responsibility for data privacy.
Forward-thinking firms – or those with a lot of sensitive data to protect – that first hired a CPO over a decade ago, recruited people with a legal or compliance background, but now they are looking for those that have more experience of senior corporate positions, and the ability to work with multiple functions, collaborate with the most senior business and functional managers, and to build and lead teams of people.
The Two Major Causes of Data Leaks
Hiring someone with senior leadership skills should set up companies well for the future, as CEB analysis of data “privacy failures” at over 80 companies shows that overwhelmingly the two most common causes are weak internal processes or employee misunderstanding through insufficient training, both of which result in employees unintentionally exposing data, and not intentional acts, either by employees or people from outside.
Weak internal processes: For example, many firms fail to develop cohesive privacy frameworks to help employees make the right decisions about data and information.
CEB data show that a third of companies lack established policies and procedures that clearly explain privacy requirements, almost two-thirds of privacy functions do not provide employees with tools to assist in privacy compliance, and nearly 60% of companies have no clear information governance structure, making it difficult for employees to understand where to escalate privacy-related issues.
Insufficient training: Companies with the best privacy training drastically reduce occurrences of inappropriate employee behavior, but most privacy functions provide only limited training each year. Roughly 50% of companies incorporate privacy training into other training courses, and the brief time spent on privacy content makes it difficult for employees to understand and correctly apply what they’ve learned.
As well as making time for dedicated data privacy training, the firms that see the best results don’t consider “increasing employee awareness” as the goal of their training. Rather, they focus on teaching employees to apply the training concepts. They teach job-relevant skills and foster employees’ motivation to apply the training in all work contexts.
Learn more about the internal risks for companies in protecting their data (pdf).