Privacy impact assessments are used by organizations large and small to reduce risk, maintain compliance and establish accountable frameworks for protecting sensitive data and meeting regulatory standards. For organizations exercising PIAs, or thinking about implementing them, there has been scant data available to see how other organizations conduct their PIAs.
Plus, there are very real obstacles for getting those PIAs completed. For example, how do you budget for them? How many employees will it take? And how long, for that matter?
Well, PIA benchmarking data is now available to help answer some of these questions. In a webinar on Thursday, TRUSTe Director of Product Management & Principal Consultant Ray Everett revealed the results of an online survey of 203 individuals who are closely involved in their organizations' PIAs. All of those surveyed were from large organizations across the globe.
Everett said there has been very little available insight into industry best practices and a lack of consistency in terminology and process when conducting PIAs. Plus, more information on how industry conducts their PIAs may help others budget and plan for their own assessments. Significantly, budget and lack of time are the two biggest reasons companies do not conduct privacy assessments.
The survey was conducted online in early December, 2014, and targeted organizations with at least 1,000 employees. Nearly three-quarters of the organizations surveyed, though, have at least 5,000 employees. What’s more, industry verticals were fairly represented and included the financial, high tech, healthcare, manufacturing and retail sectors. However, nearly half of those surveyed were from the high tech and financial services sectors.
Of those surveyed, more than half (56 percent) had conducted a PIA in the last 12 months, and of those, 50 percent conducted at least 11 assessments in that period. Additionally, 65 percent of those surveyed said it takes at least 100 employee hours to complete an average assessment.
There was also a broad range of reasons for conducting PIAs. The most common reason stemmed from internal annual reviews, followed by a regulatory change, then product change, annual certification and finally a merger and acquisition.
Interestingly, the survey also included the top reasons impact assessments are slowed down within an organization. The biggest reason? You might have guessed it: Getting your fellow employees to respond. The second biggest driver is evaluating risk, followed closely by the time taken to analyze responses (when you finally get them!).
Nearly 70 percent of those surveyed said the biggest reason more PIAs are not conducted is from budgetary considerations while more than half said the privacy team’s time is also an obstacle.
If you're looking for resources on how to conduct a PIA in your organization, find them here in the Resource Center.
If you want to comment on this post, you need to login.