The survey of 546 privacy and risk professionals by global IT association ISACA found that more than half of them have no confidence in the protection of consumer data.
Nor is there a great deal of confidence within those enterprises about their ability to ensure the privacy of their own sensitive data.
Only 29% of respondents said they were very confident of ensuring privacy of that data and nearly one in five said they have experienced a material privacy breach.
And, the most commonly reported privacy failures were:
• Lack of training or poor training
• Data breach/leakage
• Not performing a risk assessment
On a brighter note, however, more than 9 in 10 organisations say they have assigned someone to be accountable for privacy, with the primary positions given this responsibility being CISOs and chief privacy officers (CPOs) who report directly to the CEO.
Additionally, the majority (76%) of organisations provide privacy awareness training to staff.
“Organisations with effective privacy programs understand that these programs begin with a system of governance and management, and are supported by a team with defined privacy responsibilities,” said Yves Le Roux, chair of ISACA’s Privacy Working Group and principal consultant of CA Technologies.
According to ISACA, the seven key components of an effective privacy program are:
1. Appropriate staffing
2. Positioning of privacy function at a high level in the organisation chart
3. Privacy-protection culture
4. Privacy awareness training
5. Globally accepted frameworks/standards
6. Metrics and monitoring program effectiveness
7. Compliance with data-protection legal requirements
ISACA says it will use the survey data to help create additional privacy guidance, including a set of guiding principles in 2016.