Privacy audits must become regular part of corporate life, warns Gartner

25 Sep, 2013

Gartner wants to see more firms tighten up their privacy compliance procedures.

Gartner is urging companies to make annual privacy audits a regular part of corporate life, after its findings revealed many firms feel their existing privacy measures are not up to the job.

The market watcher surveyed 221 companies in the US, Canada and UK earlier this year to gauge attitudes towards a range of privacy, information security and risk management issues.

Gartner’s consistent observation is that privacy programmes are only successful if someone is driving them.

Its findings revealed that 43 per cent of respondents claim to have a comprehensive management programme in place to ensure compliance with privacy issues. Meanwhile, seven per cent admitted to doing the bare minimum to make the grade.

Carsten Casper, research vice president at Gartner, said companies need to take privacy regulations more seriously than they do now.

“More than a third of organisations still consider privacy aspects in an ad hoc fashion and it is surprising that so many companies are saying that they are not conducting privacy impact assessments before major projects,” he said.

“Sixty-two per cent do not scan websites and applications, or conduct an organisation-wide privacy audit every year.

“Organisations must put these activities on their to-do list for 2014,” Casper warned.

That being said, Casper admitted organisations are continuing to up their privacy investments, in the wake of the PRISM and NSA surveillance scandals and ever tightening compliance regulations.

“[The findings also] show that previous investments have not always paid off and organisations need to refocus their privacy efforts if they want to raise the maturity level of their privacy programmes back to that of 2011 [levels],” he said.

That is the year, according to Gartner, that organisations believe their privacy procedures were at their most established and mature.

To get back to that, it is claimed many firms are planning to increase their headcounts and invest in programmes that will help them tackle the privacy problems thrown up by technology trends, such as cloud computing, big data and enterprise social.

“Gartner’s consistent observation is that privacy programmes are only successful if someone is driving them. Almost 90 per cent of organisations now have at least one person responsible for privacy,” Casper explained.

“Only 66 per cent of survey respondents said they have a defined privacy office role – although the number is as high as 85 per cent in Germany and similar countries where this role is a legal requirement,” he added.

Thirty-two per cent of respondents said they have increased the number of staff responsible for ensuring compliance with privacy issues between 2012 and 2013, but Gartner said companies still need to do more to prioritise solving privacy issues within organisations.

“When storing and accessing personal data, organisations face a number of options. They can store data locally or in a low-cost country, allow access to domestic or remote staff, use a provider for application management or for infrastructure management,” advised Casper.

“There is no right or wrong answer. Organisations have to decide which type of risk they want to mitigate, how much money they want to spend and how much residual risk they are willing to accept.”