The strategic role of data protection is still unclear for many companies, 80% of whom regard it merely as a matter of compliance. Only 28.5% welcome it as a business enabler. Sensitive industries and ISO/IEC 27001 certified companies differ somewhat since they recognize that the relevance of data protection is key to their overall business strategy and directly correlate it to their performance.
Privacy management entails risks and lack of competence is major
Handling personal info is risky, especially when companies are dealing with customer data (45.8%). The “human factors” are more worrying than any external threat. Low-level legal (23.5%) and technical competence (17.4%), unawareness among employees (21.9%) and management (20.3%) and human errors (20%) are their main concerns. The lack of IT security measures to face external threats is still a relevant concern (19.4%).
Investment in security, training and risk assessment is top priority
One company in two now invests in IT security enhancement. After years in which the focus was primarily on infrastructures, the spotlight is increasingly on the human role with 43.4% allocating resources to staff training. Risk assessment is also now the investments ranking podium at 37.7%.
Companies in sensitive industries invest the most
Companies operating in sensitive industries such as health and social work, financial intermediation, public administration and information technology are those making the highest investment in IT security enhancement (60.6%) and in staff training (56%). This is most likely due to their direct interaction with consumers. In response to questioning, they also appeared more conscious of the high risk of handling end-user data (43.4%), where lack of adequate protection accounts for the lion’s share of sanctions issued by data authorities.
Certified companies face fewer difficulties and gain competitive edge
40% of companies struggle to know where to focus their efforts to be compliant and about 34% feel there is a lack of regulatory guidance. Only half believe the efficient management of personal data can lead to profitable gain. Certified companies do not face the same difficulties and are also better placed to seize the competitive advantage that derives from data protection (58.3%).
Technology and regulations: a value or complication?
According to 34.3% of respondents, new digital technologies such as big data analytics, IOT (Internet of Things), sensors, blockchain and smart tags pose threats to data protection, while 15.4% believe that they can be beneficial for data protection. The majority however remains unsure of their impact. Current privacy regulations are widely perceived as a curb on innovative projects although some 17.2% deny this is the case; a discrepancy which highlights the overwhelming need for clarification.
Companies expert in data protection are still few and far between
On a data protection maturity scale, only 7.5% of respondents consider themselves to be expert. Sensitive industries (15.3%) and certified companies (12.3%) account for a higher percentage of companies with advanced privacy management skills. There is almost universal awareness that this is an essential issue and skills are expected to improve over the next two years. 77%of all companies will maintain or up their investment in privacy management in the next year.
Certification, a valid support for data protection
The majority 83% of all certified companies found support in the ISO/IEC 27001 management system. This requires policies, roles and responsibilities to be clearly defined, technologies and information management processes put in place and staff trained. The rewards obtained offset the most pressing risks faced by companies. Among these benefits, 51.3% observed increased management commitment, 44.4% noted higher employee engagement and 46% included the implementation of appropriate technical measures.