Seventy percent of government programs report less than sufficient budgets to meet their privacy needs, according to a recently released study from the International Association of Privacy Professionals (IAPP) and Ernst & Young (EY).
“There are clearly still low budgets and a lack of staff resources for privacy programs at government agencies,” said Omer Tene, vice president of research and education at IAPP. “In comparison to the private sector, government is investing fewer resources, privacy budgets are smaller and people feel their career opportunities in this space are more restricted than they are in the private sector.”
IAPP and EY surveyed a broad spectrum of organizations across the globe to document the status of privacy governance today. Overall, findings were positive, though there is room for improvement.
“We found that privacy professionals earn well, are trained in law, business and technology, influence a broad swath of departments across their organizations, and are increasingly part of strategic management teams,” said Tene. “At the same time, privacy programs clamor for additional resources and seek more sophisticated and efficient technological tools to monitor, manage and protect data flows in their organizations.”
This is especially true in the government sector, Tene said.
“Government programs tend to be compliance-based as opposed to what we call ‘risk-based,’ which is less of a legal compliance issue and more of a strategic brand reputation issue.”
The good news is, government demonstrates leadership in some aspects of privacy.
“Privacy programs have been in place in government departments for a longer time in most cases than they have in the private sector,” said Tene. “Some of the largest and most robust privacy programs out there are actually in government departments. Plus, government is using some key privacy tools more than their private sector counterparts.”
Tene points to Privacy Impact Assessments (PIAs) as one example. A PIA is a structured process for inventorying data and figuring out the data flows in the organization in order to minimize privacy risks.
“Government is on top of that and implements PIAs more often than private-sector entities,” he said. “And given Freedom of Information laws, some of the most important government PIAs are actually publicly available, which is seldom the case for businesses.”
On the whole, however, Tene said budget opportunities and the prospects for growth are much more encouraging in the private sector than in government.
Fortunately there are steps government agencies can take to improve their privacy efforts even without big budgets, starting with training.
“Training employees to recognize and identify data privacy issues can go a long way,” said Tene. And that training shouldn’t be restricted only to the CPO or equivalent and his/her team.
“Increasingly we see companies training large numbers of employees about privacy,” Tene said. “We've actually had companies offer training to thousands of employees. Anyone who touches personal data of consumers or of other employees in their day-to-day activities is being trained to recognize and identify privacy issues, and to at least have the ability to escalate problems if they encounter them. I think it's important for government to ensure that anyone that comes into contact with citizen data is up to speed on data security and privacy.”
Overall, Tene said the importance of privacy for any business, organization or government speaks for itself today.
“After major data breaches at OPM, Ashley Madison, Anthem, etc., I think we are beyond the point of trying to figure out if this is important and more at the point of having to think of what the solutions are,” he said. “This survey provides a good benchmark to at least see what other organizations are doing.”