ANZ lacks privacy obligations understanding, finds ISACA
A web of complex and ever-evolving data privacy regulations, including the strengthening of Australia's online privacy legislation, is impacting, with less than half of respondents in Australia and New Zealand finding it easy to understand their organisation's privacy obligations.
In addition, only 35% report being highly confident in the ability of their organisation’s privacy teams to ensure data privacy and achieve compliance with new privacy laws and regulations.
ISACA's Privacy in Practice 2023 research report finds those enterprises that consistently practice privacy by design reap rewards. Still, many face challenges getting there because of privacy budgets, staffing and skills gaps.
Jo Stewart-Rattray, Information Security Advisory Group, ISACA, says enterprises must stay compliant and protect the privacy of their data subjects or lose trust and take a hit to their reputation.
“We have seen a remarkable increase in the volume and sophistication of data breaches in Australia over the past year. This new research serves to validate and urge enterprises to prioritise privacy by design," adds Stewart-Rattray.
“This means ensuring that good privacy practices are built into your organisation’s decision-making and digital transformation from the outset. It is an investment that will return benefits in the form of consumer trust, reputational respect and in turn, financial security.”
The survey found that organisations consistently practising privacy by design (30%, up two points from 2022) are at an advantage. In Australia and New Zealand, they are one and a half times more likely to be confident in their organisation's ability to ensure the privacy of its sensitive data and more likely to see their organisation's privacy strategy aligned with organisational objectives (81% vs. 73% total) compared with global results of 92% vs 73% total.
Additionally, organisations in ANZ that always practice privacy by design believe addressing privacy with documented privacy policies is mandatory (92% vs 73% total).
The ISACA research identified three top obstacles to forming a privacy program: Lack of competent resources (50% vs 42% globally), lack of clarity on the mandate, roles and responsibilities (46% vs 40% globally), and lack of executive or business support (42% vs 39% globally).
Only half of all Australian and New Zealand respondents believe their board of directors adequately prioritises privacy (50% vs 55% globally), which suggests an opportunity for boards to improve communication about their commitment to privacy efforts.
Privacy budgets also remain underfunded at many organisations, with only 31% of respondents saying their privacy budget is appropriately funded (compared to 36% globally).
Regarding resources, privacy staff shortages persist, and the demand for technical and legal/compliance roles is expected to increase during 2023. For Australia and New Zealand respondents, technical privacy roles remain more understaffed than legal/compliance roles, with 56% of respondents indicating they are somewhat or significantly understaffed, versus 46% respectively (globally 53% vs 44% respectively). However, the survey also found that 83% of respondents expect increased demand for technical privacy roles in the next year (69% globally), compared to legal/compliance roles (73% vs 62% globally).
“Organisations may desire to comply with privacy regulations and build a privacy by design culture, but without a strong team of privacy practitioners, they face significant obstacles to achieving these goals," says Safia Kazi, ISACA principal privacy practices.
“With the increased need for these privacy practitioners’ technical and legal expertise to keep pace with the regulatory landscape, it is more important than ever to cultivate and train a strong, skilled privacy workforce to meet the demand.”
To fill this skills gap, organisations are training to allow non-privacy staff to move into privacy roles (54% vs 49% globally) and increasing their use of contract employees or outside consultants (48% vs 38% globally).
Respondents cited the most common causes of privacy failures as lack of training (58% vs 49% globally), data breach (48% vs 42% globally) and not practising privacy by design (56% vs 42% globally). To tackle the most common cause of privacy failures, 85% of respondents globally report that their organisation provides privacy awareness training for employees but only 59% review and revise privacy awareness training annually (48% of Australian and New Zealand respondents).
Though the metric used most often among Australian and New Zealand respondents to measure training effectiveness is the number of employees completing training (63% vs 65% globally) instead of a decrease in privacy incidents (58% vs 54% globally), 77% believe that privacy training has had a positive impact on privacy awareness in the organisation (73% globally).
The survey report, reflecting the insights of 1,890 global respondents with 62 in Australia and New Zealand who currently work in data privacy or have detailed knowledge of the data privacy function within their organisation, examines privacy staffing, organisation structure, frameworks and policies, budgets, training, and data breaches.
ISACA is a global professional association and learning organisation that leverages the expertise of its more than 165,000 members who work in digital trust fields such as information security, governance, assurance, risk, privacy and quality. It has a presence in 188 countries, including 225 chapters worldwide.