2022 ViewPoint Espresso report on Privacy Management

Page 1

ViewPoint Espresso How are companies tackling enterprise risks? # 7, February 2022 – Privacy Management


Espresso surveys - Enterprise Risk Management Pulse Check, 2020-2021 The Espresso Survey is turning its focus to Enterprise Risk Management. What are companies struggling with these days and has the picture changed due to the “new normal”? Throughout this series of surveys, we check the pulse of companies on the following topics: Environmental Management (May 2020) Business Continuity (September 2020) Infection Risk Management (November 2020) Remote Audit (January 2021) Occupational Health and Safety (March 2021) Information Security (October 2021) Privacy Management (December 2021) The topics selected are both new and returning ViewPoint survey topics. Where possible, we compare data to see what changes may have occurred over time. The objective is to provide insight on each topic as to what is top of mind for companies around the world when it comes to Enterprise Risk Management. 2

DNV ©


Setting the Scene

Topic in focus

Where are they now?

What did we ask?

What did we find?

The seventh snapshot is of privacy management. The short survey was launched in December and results released in January 2022.

Regulation such as Europe’s GDPR regulation truly put privacy information management on corporate agendas across the globe.

• Which privacy related requirements do companies have in place?

• Companies’ maturity has only slightly increased since 2019.

• What is the nature/source of companies’ privacy risks?

• Main approach is from a legal perspective. Fewer have a formal management system, even if a perceived main benefit is “to meet legal requirements”.

A similar survey on information security was conducted in 2019.

3

DNV ©

Individual ownership of personal data was emphasized and companies forced to protect this right for everyone.

• In which areas have companies made investments in order to address risks related to privacy?

Knowing how to manage privacy and ensure compliance continues to challenge companies worldwide.

• How mature are companies within personal data protection/managing privacy?

Where are companies in their privacy information management journey now and has anything changed in the last 3 years?

• How will investments evolve? • What are the main benefits of a privacy management system?

• There is a move from IT to people when it comes to main risk and actions. Privacy certified companies are less concerned over awareness and legal competence gaps. • Investments will not increase but be shifted to action such as competence, culture & organization.


Question 1 – Privacy related requirements Does your organization have these privacy related requirements in place?

50 %

• About half of the sample have a formal policy and related goals in place. Only 1 in 10 do not have anything in place at all.

47,3 % 42,8 %

45 %

40,2 % 37,9 %

40 % 34,5 %

33,5 %

35 %

• The low number practicing “Privacy by design” may indicate that organizations have a minimal approach to privacy risks. Such companies consider the legal requirements and how to ensure compliance only.

40,1 % 33,7 %

27,0 % 25,9 % 25,5 %

30 % 25 %

21,6 %

20 %

16,4 %

14,7 %

14,1 %

15 %

11,7 %

10 %

7,4 %

9,8 %

8,5 %

7,2 %

5% 0% Do you have privacy Do you know your role: Do you practice ‘Privacy Do you carry out regular Do you have a good policy and related goals ‘Data controller’, ‘Data reviews to ensure by Design‘? system in place to in place? compliance to processor’ or ‘both’ to manage ‘Privacy increasing regulations? incidents/breaches’, enable appropriate implementation of appropriately and meet processes and regulatory systems? requirements? Yes, fully

4

DNV ©

Yes, partially

No

I don't know

• When it comes to emergency management, a fair number do not seem fully ready from a technical perspective. A total of 16.4% do not have a good system in place to manage incidents and data breaches and 33.7% have only partially implemented a good system. • It seems that companies are mainly prepared from a legal point of view. However, they are not necessarily mature when it comes to technical requirements, i.e. systems and processes to address risks, manage incidents or ensure continual improvement. This poses significant operational and business continuity risk.


Question 2 – Nature/source of risks What is the nature/source of the privacy risks in your company? Please select the top 3.

44,6 % 42,1 %

Human error Lack of awareness among employees or poor organisational culture Lack of legal competence/interpretation of legal requirements

3. Lack of legal competence/interpretation of legal requirements (25.3%)

24,2 % 25,0 % 25,3 % 18,9 % 22,5 % 20,0 % 18,7 % 12,5 % 18,7 % 17,2 % 22,5 % 17,1 % 16,6 % 20,0 % 17,4 % 14,0 % 20,0 % 13,9 %

Technical limitations

12,5 % 12,5 % 13,7 %

Lack of awareness by management Insufficient IT security / lack of IT security measures Insufficient/vulnerable physical access control system to premises, offices, or…

12,3 % 5,0 % 12,9 % 10,3 % 2,5 % 11,1 % 12,7 % 7,5 % 11,3 %

0% 10% 20% 30% 40% 50% 60% 70% 80%

DNV ©

2. Lack of awareness among employees or poor organizational culture (27.7%)

25,3 % 26,3 %

12,5 %

Lack of technical competence and/or ability to implement requirements Poor data management (processes/routines) Privacy risk in relation to exploring new/novel technology Lack of control with outsourced processes / supplier chain risk

5

1. Human error (44.6%)

27,7 % 17,5 % 28,9 %

Insufficient staffing in the area of privacy

No risks

• The top 3 sources of risk are: 67,5 %

Total sample Privacy certified Non-privacy certified

• Companies seem more worried about organizational, cultural and competence issues rather than any external threats. This is very similar to the picture from our comparable study in 2019. Challenges related to insufficient staffing in the area of privacy, however, is indicated as more of an issue today than in 2019. • Insufficient IT security/lack of IT security measures is no longer as prominent as it was in 2019. The reduced concern could be due to high IT investments made over the last years. • Companies with a certified privacy information management system see lack of awareness and legal competence to be less risky. However, when it comes to the area of exploring new/novel technology, they definitely perceive it as a higher risk than their non-privacy certified counterparts.


Question 3 – Investment areas Please select the top 3 areas in which your company has made investments in order to address risks related to personal data protection/improve personal data handling.

46,0 % 43,4 %

Training/awareness for staff

43,6 % 49,5 %

IT security enhancement

21,5 %

Risk assessment

• Change of management system and processes ranks third, selected by about 1 in 5 companies.

37,7 %

18,7 % 22,5 %

Data mapping, including record of processing activities

16,2 % 18,2 %

Roles and people 9,3 % 7,5 %

Supplier management

2021 15,0 % 19,2 %

Physical controls

14,2 %

External support*

12,6 % 13,4 %

Change to IT applications

10,3 % 12,7 %

Customer management

7,9 % 7,2 %

Incident handling procedures

4,1 % 2,3 %

None of the above I don't know

7,8 % 0%

DNV ©

• While IT security enhancements was the main investment area in 2019, it is now second with 43.6%.

22,1 % 21,4 %

Change of management system and processes

6

• The spotlight is shifting from IT to people. Almost 1 in 2 prioritize resources to train staff. This is a slight increase compared to the 2019 survey.

13,8 %

5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

2019

• The primary focus is on training/awareness and IT security enhancements, but with the intention to extend and include a greater focus on culture and organizational improvement.

• Companies seem to meet legal requirements and compliance primarily through staff training and awareness, which may reflect human error being indicated the main source of risk. • Addressing human error by closing competence gaps is a low hanging fruit. A compliant management system is a more longterm investment and without awareness throughout the organization any implementation will prove more difficult. An ISO 27701 compliant management system will help reduce human errors. To improve maturity, any culture must be supported by a formal management system.


Question 4 – Maturity From a maturity point of view of personal data protection / managing privacy, where would you position your company on a 4point development scale?

• Compared to 2019, the overall company maturity has slightly increased. This is especially true for companies having moved from “progressing” to “optimising”.

40% 36,2 %

• Nevertheless, it is worth noting that less than half of the sample say they are “optimizing” or “leading”. Given recent legislation and focus on privacy information management, a higher increase may have been expected. At the same time, experience and knowledge gained in the last 2 years may give a more accurate performance assessment today.

34,1 %

35% 31,4 % 30%

28,1 %

25%

2021

20% 17,3 %

2019

15,3 % 15%

9,0 % 8,2 %

10%

10,2 10,2 % %

5%

0% 1. Starting

7

DNV ©

2. Progressing

3. Optimizing

4. Leading

I don't know


Question 5 – Future investments How much is your company going to invest in privacy / personal data protection in the next 12 months?

• More than 1 in 5 companies intend to invest more or the same as today in the next 12 months. This is not a significant change compared to 2019.

90% 83,1 % 77,3 %

80%

• With human error indicated as the biggest risk, it is not surprising that even if the level of investment largely remains the same the prioritization seems to move toward training/increase competence. In 2019, investments were primarily directed at IT security enhancements.

70% 56,8 %

60%

49,4 %

50%

2021 40%

2019 27,8 % 26,4 %

30% 20%

10,1 % 6,4 %

10%

12,6 % 10,5 %

0% More + Same

8

DNV ©

More

Same

Less

No investments at all

• For companies focusing on people competence and awareness, it will be beneficial to make management system investments as well. This will increase mature and make a company better equipped to both manage human error and build resilience.


Question 6 – Relevance of benefits Based on your experience and perception, what do you think will be the relevance of possible benefits achieved from implementing a structured privacy and personal data protection management system in your company?

◼ Relevant benefit (≥3,25) 1

Improved financial results (e.g. through reduced costs) Advantages with tax/banks/insurance

Achievement of strategic objectives Creation of new market opportunities Providing a competitive advantage

2

3

4

• Ability to meet legal requirements (3.75)

2,49

• Privacy & personal data protection performance improvement (3.63)

2,44 3,09

• Customer satisfaction/meet customer needs (3.55)

3,03

• The top 3 are closely followed by “Improve identification /management of risks” (3.52) and “Safeguard property” (3.48).

3,12

Improving public image

3,37

Ability to meet legal requirements

3,75

Customer satisfaction/meet customer needs Better relations with authorities

3,55

3,00

Improve identification/management of risks

3,52

Top management commitment & engagement Enhanced worker engagement Improved communication with stakeholders Improvement in management of suppliers/contractors Privacy & personal data protection performance… Safeguard property

9

DNV ©

• The perceived top-3 benefits of implementing a management system are:

• This underscores companies’ focus on legal requirements and compliance. However, it is worth noting that to improve performance and become more agile in addressing risk and incidents threatening operations, companies must take a wider approach and include technical requirements.

3,35

• Implementing a certified privacy and personal data protection management system is one such action in addition to investing in IT security infrastructures, for example.

3,24 3,02 3,22 3,63 3,48

1 – Not relevant 2 – A little relevant 3 – Somewhat relevant 4 – Highly relevant DK/DA excluded


Benefits from the Management Systems in managing risks, overall view The chart below shows the contribution of each of the areas in focus to the list of identified benefits. The chart will be progressively updated when a new requirement is analysed. When all areas will be investigated, the chart will be complete Highly relevant benefits ◼Benefits

Environmental management

Business continuity management

Infection risk

Occupational health and safety management

Information security management

Privacy management

Improved financial results (e.g. reduced costs) Advantages with tax/banks/insurance Achievement of strategic objectives Creation of new market opportunities

Providing a competitive advantage Improving public image Ability to meet legal requirements

◼ ◼ ◼

Customer satisfaction/meet customer needs Better relations with authorities

Enhanced employee engagement

◼ ◼ ◼

Improve identification/management of risks Top management commitment & engagement

◼ ◼ ◼ ◼ ◼ ◼

◼ ◼

◼ ◼

◼ ◼

◼ ◼

◼ ◼

◼ ◼

◼ ◼

Improved communication with stakeholders Improvement in management of suppliers Performance improvement within the specific area Safeguard property

10

DNV ©


Methodology and Sample

December

2021

This Espresso survey was conducted in December 2021.

493

It involved 493 professionals in companies across different industries in Europe, North America, Central & South America, and Asia.

• The sample consists of Business Assurance customers in DNV and does not claim to be statistically representative of companies worldwide. • Charts comparing “privacy certified” with “Non-privacy certified” companies represent those who answered “Yes” or “No” to the question “Does your company have an ISO 27701 (privacy management system) certification or similar?”. • The questionnaire was administered using the CAWI (Computer Assisted Web Interviewing) methodology.

11

DNV ©


Thank you! Want to access the results from other ViewPoint surveys? Read more here

Not yet a Viewpoint member and want to join? Click here Interested in benchmarking the performance of your company Management System? Learn more here www.dnv.com 12

DNV ©

February 2022