What happens to privacy protections in a pandemic?
When any serious threat to our safety and well-being arises, many would think privacy protections would take a back seat. After all, our personal data, including our health status, social contacts, and physical locations, have been needed to help control the spread of COVID-19. What’s more, the rapid shift to remote working has left organizations scrambling to keep their functions up and running, and privacy protections might well have been an afterthought.
Today, Cisco released its 2021 Data Privacy Benchmark Study entitled “Forged by the Pandemic: The Age of Privacy.” Drawing on responses from more than 4400 organizations in 25 countries, the findings show that rather than trying to reduce privacy protections, organizations have increasingly turned to privacy principles for guidance in an uncertain time. In doing so, privacy has been strengthened and now seems destined to play an even more critical role going forward.
Support for Privacy Principles
Ninety-three percent of organizations turned to their privacy teams for help in navigating the pandemic, and there was quite a bit to navigate. Most organizations said they were unprepared for the privacy and security implications of the shift to remote working. Eighty-seven percent of individuals, which includes employees and customers, were concerned about the privacy protections of the remote tools they were being asked to use.
The research also shows strong support for maintaining privacy principles and protections. Sixty-two percent of individuals wanted little or no change to existing privacy laws, and there was very limited support for use cases involving the sharing of personal information even in the face of the pandemic.
While individuals supported employers’ efforts to maintain a safe workplace, they were much less enthusiastic about location tracking or disclosing any information about infected people. Respondents wanted any use of their personal data to be limited and strictly controlled. Their top concerns were consistent with the fundamental privacy principles of transparency, fairness, and accountability.
Privacy’s New Role in Organizations
Accelerated by the needs of the pandemic, privacy has become mission-critical in most organizations. Among security professionals who responded to the survey, over a third said data privacy was one of their top areas of responsibility, along with assessing and managing risk and responding to threats. Privacy is getting attention at the highest levels of management as 90% of organizations are now rolling-up and reporting privacy metrics to the C-suite and Board of Directors.
Privacy budgets have doubled over the past year at both small and large organizations, partly in response to the greater needs of the pandemic, evolving privacy legislation, and the emerging need to respond to greater data localization requirements. And external privacy certifications, like ISO 27701, have now become a critical buying factor for 90% of respondents.
Perhaps the strongest support for privacy can be seen in the area of legislation. There are now more than 140 jurisdictions with privacy laws in place, and one might expect organizations to abhor any regulation that adds cost and complexity. Yet, privacy seems to be the exception, as nearly 80% of organizations worldwide indicated that privacy legislation is having a positive effect on their organizations. They value the guardrails and the customer protections that these laws provide.
Go Beyond Security Awareness
Culture spans the gap between awareness and action. As expected, having security awareness training (BG4) corresponds with creating a security culture. It would be interesting to peel this back and see what form training takes. We’ve all seen poorly done training, the annual ritual of mindlessly clicking next on the presentations covering security and compliance. Some of the better training programs favor gamification and feature shorter lessons. We simply don’t have the data on how the respondents are organizing their training.
Training is the starting point. We’ve seen how hard it is to get people to act on awareness, from using seatbelts to stopping texting while driving, from stopping smoking to eating better. Cyber security is no different. Behavior economics has spent decades teasing out the barriers to action, and the tactics for getting people there. Two these tactics are tying behaviors to a person’s identity and making it a personal routine. Culture is the beliefs and the behaviors of people in our organizations.
Privacy is a Boon to Business
Data privacy has come of age and is no longer considered something that benefits only the consumer. Over two-thirds of organizations are realizing business benefits across a wide variety of areas, from reducing sales delays and enabling innovation, to achieving greater operational efficiency, and building loyalty and trust with their customers. And these translate into bottom-line value as the average organization estimates they are realizing benefits nearly twice their investment in privacy.
The days of thinking about privacy as merely a compliance issue are over. Forged by the pandemic, privacy has become an essential priority for management, employees, and customers alike.
This blog was originally written by Robert Waitman for Cisco Blogs.