ISACA’s Privacy in Practice 2023 report, based off responses from digital trust professionals spanning a range of geographies, industries and amount of professional experience, provides valuable insights on the current state of the privacy profession. Three key themes emerged: 1) The need for more visible executive support for privacy; 2) the need for more privacy skills and staffing; and, 3) given executive support, skills, and staffing, the increased controllability of many of today’s privacy failures as an outcome.
Privacy in Practice Needs More Executive Support
The highest-level theme is encapsulated in respondents reporting a lack of support for their organizational privacy initiatives. Lack of clarity on mandate, lack of executive support, and lack of visibility were reported by 40%, 39%, and 38% of respondents, respectively.
In transformation management terms – given that building an organizational privacy capability is a major organizational transformation – this could be the outcome of either or both of lack of awareness of the need for change among executives with respect to the organization’s approach to privacy, and/or the lack of desire of key executive stakeholders to participate in and to support the change. This implies no shared understanding (awareness) of how a privacy program will help executives meet their objectives (desire), or of the role of various executives in a privacy program. Without such a shared understanding, it will certainly be difficult to establish a sustainable privacy program with the appropriate scope, visibility, support and resourcing.
One reason for the above could be that no privacy objectives have been expressed as part of the strategic objectives of the organization, and/or that there is no clear relationship between the objectives of the various executives and the organization’s overall objectives with respect to privacy. Organizations that see privacy beyond compliance – as something of a basic human right and where privacy ethics come into play – will more likely see the relationship between a richer privacy focus and the rebuilding of digital trust. A digital trust focus is driven by declining levels of trust in governments, institutions, and organizations, and consequently by the negative impact of this on the potential of an organization to achieve its objectives and to live its vision. A compliance-only focus will remain narrow, with legality not necessarily synonymous with ethicality.
Visible support for privacy needs to start at the top given the scale of such an organizational transformation. Gaps here are experienced every day as privacy programs barely limp along under the pressure of understaffing, resulting in otherwise controllable privacy failings.
Privacy in Practice Needs More Skills
Understaffing is partly a consequence of the lack of support, and partly a consequence of market dynamics. In the case of market dynamics, about half of the respondents indicate a skills gap that materializes as about 6 months being needed to fill a role, with the greatest gap being experienced for technology-oriented (CDPSE-type) privacy skills. Specifically, 42% of respondents report a lack of competent resources to staff a privacy program.
The CDPSE-type gap is incidentally aligned with the industry gap for data skills in general, specifically with respect to an understanding of the impact of data lifecycle management on the effective functioning of an organization. The data lifecycle makes up one of three domains of the CDPSE qualification.
As a result of the skills gap, privacy qualifications are taking a backseat to any candidates that at least have some indicated experience in the various privacy domains, albeit not supported by any relevant qualifications. As another response to the skills gap, some organizations have also undertaken skills training to help close the gap.
This situation is positive for anyone with or considering a CDPSE qualification. The more the technical gap is recognized as distinct from the compliance gap – as indicated in the survey – the greater demand for technical privacy skills, and thus the market recognition of such qualifications.
More Support and More Skills Mean More Controllable Privacy Vulnerabilities
Some of the major failures in organizational privacy programs are poor training (49% of respondents), data leakage (42%), and the bad or non-existent detection of personal information (37%).
As we found above, poor training is likely the outcome of having to recruit privacy candidates that have some experience, but not necessarily the qualifications to perform their task. This finding also supports the finding in the previous section that there is a demand for privacy qualifications in general, and for technical privacy qualifications in particular.
In terms of data leakage, much is still the result of poor internal practices such as no “clean desk” policy, or discussing sensitive matters in the presence of people who “don’t need to know.” Educating the workforce takes resources, and if there are insufficient resources, it will take longer to teach and to reinforce learning within the organization. This problem is exacerbated in organizations with high staff turnover.
When it comes to the detection of personal information, just as in cybersecurity, there is a very real need for organizational data classification. This will facilitate the identification of sensitive data not only at rest, but in motion and in use, too, making it easier to monitor behaviors that involve sensitive data for unusual activity, as well as facilitating Privacy Impact Assessments. Data classification makes up part of the metadata domain of data management, a domain incidentally of key importance to effective data lifecycle management, and by extension, to effective privacy management.
Privacy Calls to Action
So, what do these three, survey-based, global privacy themes mean for you as a privacy practitioner?
In terms of increasing executive support, there’s nothing to it other than to continue being a strong advocate of privacy beyond compliance at every opportunity. The more an organization-appropriate message is repeated, the more likely it is to become part of a larger conversation, and thus the more likely it is to become part of a broader organizational transformation program.
In terms of increasing skills, it’s clear that there is scope to increase privacy-related qualifications and experience. The gap is there, and it shows no likelihood of letting up in the foreseeable future. In other words, the time is right to pursue your first or complementary privacy qualification!
The greater controllability of privacy failures is dependent upon greater support and greater skills. As noted above, a subtlety is to notice and to act on the overlap between privacy management activities and data management activities. After all, it’s data that privacy activities aim to protect, so data management (e.g., metadata management and also security management) should be paired with privacy management to effectively accomplish these protections.