Governance evolves for regulators and businesses

Globally, regulators are doing everything they can to keep pace with the changes that necessitate greater privacy protection.

But for every one step they take forward, technology seems at least two steps ahead. Technology is evolving at such a rate that regulators may never catch up.

From enforcer to strategic advisor

Regulators are recognizing that they may be more effective with a two-pronged effort:

1. Continue to improve privacy protection through legislation and regulation
2. Become strategic advisors and active participants in decision-making discussions with organizations and consumers

The accelerating pace of technological change has shifted regulators from regulation-makers to strategic advisors. Where their primary role was once to enforce the rules they created, many regulators are now equal parts compliance monitors, educators, liaisons between business and government, and active participants in the privacy debate.

Vendor assurance is not as easy as it looks

On the business side, organizations have been attempting to use a number of tools that have been created to offer independent assurance of privacy programs. Auditors, third-party attestation providers and industry oversight bodies have made great strides in developing tools to address vendor management risk.

However, many organizations are not yet mature enough to meet all the rigorous requirements that assurance standards demand. The world of privacy assurance looks much the way the financial landscape looked when the Sarbanes-Oxley Act was first introduced.

Initially, many public companies thought it would be easy to meet the requirements. But many suffered a rude awakening when they realized that a substantial portion of their financial controls were insufficient for their auditors.

Many organizations have been challenged to meet the rigorous requirements of developing, maintaining and documenting the necessary controls, especially when it comes to privacy. However, as the risk associated with personal information continues to escalate, the trend for independent assurance in the privacy sphere will continue to grow.

The role of the privacy officer continues to evolve

Where it was once leading practice to have a privacy officer, today it is common business practice. In fact, in many regulatory jurisdictions, the position is mandatory.

In the large multinationals and the rapidly changing, information-intensive organizations, the role of the privacy officer has evolved significantly. As the role of the privacy officer has matured, these privacy officers find that they need to be more than luminaries or policy-setters. They also need to deal with ongoing business issues and oversee a growing network of privacy professionals with whom they may only have a dotted reporting relationship.

However, another class of privacy officers has emerged — privacy officers that are managing programs that experience small changes over time. Once their privacy program is in place and operating effectively, their organizations move from low maturity to the moderately mature level where maintenance, breach handling and program updates are the main functions.

Once a career destination, privacy responsibilities in slowly evolving or medium-size organizations that are not data intensive are increasingly held by low- to mid-level managers for whom privacy is one of many positions along the career path.

The maturation of the privacy officer has a direct effect on the maturity of privacy management as a whole. When a privacy manager moves on within the organization, that person takes that knowledge with them. This not only creates a fluency in privacy across other parts of the organizations, but also makes privacy everyone’s responsibility.

In this way, privacy becomes part of the fabric of the organization. It is as integral to an organization as HR, procurement or internal audit.

Many organizations see their privacy function as moderately mature

In our 2012 Global Information Security Survey, we asked survey participants to rate the maturity of their privacy function and several information security functions within their organizations in terms of maturity on a scale from nonexistent to very mature.

Only 7% of respondents view their organizations as very mature when it comes to privacy. A near majority — 41% — see themselves as moderately mature.

They’ve made progress, but they know that they can do more when it comes to privacy protection.

<< PreviousNext >>