Business imperatives are driving the need for privacy protections, and 90% of organizations said their customers would not buy from them if they did not properly protect customer data. What’s more is 91% said that external privacy certifications have become an important factor in their own buying process. And privacy issues are very much in the boardroom, with 94% of organizations now reporting one or more privacy metric to their board of directors.

These are some of the findings from the Cisco 2022 Data Privacy Benchmark Study released Jan. 26, which draws on more than 4,900 anonymous responses from security and privacy professionals in 27 geographies.

Business value of privacy

In addition to the customer imperative, privacy investment continues to pay off for organizations in a variety of ways. Organizations are seeing significant privacy-related benefits in terms of increased operational efficiency, better agility and innovation, mitigation of security outcomes, and reduced sales delays. These translate into financial value, and the average organization is getting 1.8 times return on their privacy spending with a third getting benefits at least two times their investment. Interestingly, organizations who see themselves as more privacy mature are getting significantly higher returns than others.

Privacy laws and responsibilities

The EU General Data Protection Regulation became enforceable more than three years ago, and now two-thirds of the world’s countries have enacted privacy legislation. While these laws require cost and effort to comply, organizations recognize the value of these protections and are overwhelmingly supportive. Amazingly, 83% of respondents around the world believe privacy laws have had a positive impact, versus only 3% who believe they’ve had negative impact. 

We’ve also seen an evolution in privacy-related skills in the past few years, and privacy responsibilities are no longer limited to lawyers and privacy professionals. According to our research, nearly one-third of security professionals now identify “data privacy” as a core area of responsibility, second only to “Detecting and Responding to Threats.”

Responsible artificial intelligence

Organizations recognize they have a responsibility to use data ethically and appropriately, and most say they have processes in place to ensure any use of personal data, including automated decision-making, meets customer expectations. On the other hand, over half of consumers express concerns about how their data is being used in AI today, with many saying they will trust organizations less that use automated decision-making with personal data. Hence, it’s an area to which organizations need to pay close attention.

Aligning privacy with security

Privacy professionals often wonder where the privacy function should sit within their organization. According to the survey responses, the most common locations are not in legal, and instead are in IT (37%), security (34%) and compliance (11%). From a maturity and financial perspective, it appears the best fit is aligning privacy closely with security. Organizations with this model are showing higher average privacy returns and higher privacy maturity than those with other models.

Recommendations

This research suggests organizations should continue to invest in building privacy capabilities, particularly among security and IT professionals, and those who work with personal data. Transparency is particularly important to customers, and organizations need responsible frameworks and governance over their use of personal data, especially when applied in AI. Finally, organizations should ensure close alignment between privacy and security professionals as they work to keep customer data safe.

Photo by Muhammad Zaqy Al Fattah on Unsplash