Cisco 2021 Data Privacy Benchmark Study Forged by the Pandemic: The Age of Privacy
The COVID-19 pandemic led to dramatic changes in 2020. At a time of disruption and uncertainty due to the pandemic, people have been suddenly expected, and at times required, to share their personal information such as personal lives, routines, social circles, health status and other data with governments, employers, and also with strangers while learning to interact remotely and in new digital way to help curtail the spread of COVID-19. People have shifted much of their lives online, accelerating a trend that normally would have taken years. These mass-scale shifts in human interaction and digital engagement presented many challenging data privacy issues for organizations who aim to follow the law, stop the spread of the pandemic, while also respecting individual rights. It put strains on privacy as the need to protect individual’s data was often in conflict with the need to protect public health. Consumers and the general public are growing increasingly concerned about how their personal data is being used. Fortunately, privacy protections established over the last decade helped decision makers strike the right balance between individual concerns and community needs. Cisco recently published the 2021 Data Privacy Benchmark Study, its fourth annual look into corporate privacy practices worldwide, which found enhanced importance of privacy protections during the pandemic and increasing benefits for businesses that adopt strong privacy measures. The independent, anonymized survey analyzed the responses of 4,400 security and privacy professionals across 25 countries and explored attitudes towards privacy legislation and the emergence of privacy metrics being reported to executive management. In this year’s Data Privacy Benchmark Study, we’ve found strong evidence that privacy has become an even more important priority during the pandemic. Privacy budgets have increased over the last year, organizations have more resources focused on privacy, and privacy investments going above and beyond the law are translating into real business value. Privacy legislation and external certifications are providing assurance in a business environment where it’s hard to know whom to trust. Consumers are exercising their privacy rights and demanding enforcement of existing privacy protections. The reaffirmation of privacy’s value even during the pandemic positions it as a priority for years to come. Privacy is no longer an afterthought; it is core to how we work and interact with each other. The age of privacy has arrived. KEY FINDINGS In this study, we continue our exploration of privacy practices and maturity levels at organizations around the world, their financial investments in privacy, business benefits from these investments, and the forces driving these behaviors. In this year’s research, we also included several questions related to the pandemic and its impact. Some of the key findings include Ninety-three percent of organizations turned to their privacy teams to help navigate and guide their pandemic response. Privacy budgets doubled in 2020 to an average of $2.4 million. RoI was slightly down compared to 2019, but remains attractive with 35% reporting benefits at least 2 times their investments. Privacy laws are viewed very favorably around the world, with 79% of organizations indicating they are having a positive impact (and only 5% negative impact). External privacy certifications (e.g., ISO 27701, APEC Cross-Border Privacy Rules, and EU Binding Corporate Rules) are an important buying factor for 90% of organizations when choosing a product or vendor. Organizations with more mature privacy practices are getting higher business benefits than average and are much better equipped to handle new and evolving privacy regulations around the world. Data privacy has become a top area of responsibility for security professionals, with 34% of survey respondents indicating privacy is one of their core competencies and responsibilities. Ninety-three percent of organizations are reporting privacy metrics (e.g., privacy program audit findings, privacy impact assessments, and data breaches) to their Boards. These findings provide strong evidence that the commitment to privacy has been strengthened during the pandemic. Organizations that get privacy right improve trust with their customers, operational efficiency, and both top-line and bottom-line results. FORGED BY THE PANDEMIC: THE AGE OF PRIVACY 1. Helping organizations overcome the challenges of the pandemic The COVID-19 pandemic forced many changes on society in 2020, including a rapid shift to remote working and an often-urgent need for personal health information to support public health initiatives. Rather than being pushed aside, privacy teams and privacy principles have attained greater prominence as they have helped organizations manage this shift and balance the competing interests of individual rights and public safety. Ninety-three percent of organizations said their privacy teams played a significant role in helping them navigate and respond to the challenges brought on by COVID-19. These challenges included the shift to remote working, determining when and how to share personal information, and implementing controls to limit access and use of any shared personal data. During the pandemic, the percentage of organizations where most employees were working remotely jumped from 40% to 67%, and 91% of organizations had at least a quarter of their employees working remotely. Unfortunately, many were unprepared for this transition. Only 41% of organizations described themselves as fully prepared for this shift from a privacy and security perspective, and 87% of individuals expressed concern with the privacy protections involved in the tools they needed to work and interact remotely (See figure 1). In responding to the pandemic, governments and organizations needed health-related personal data to understand co-morbidity factors and exposure risk to keep their communities and workplaces safe. Despite the need, consumers generally supported few if any exceptions to the privacy protections for their data. Thirty-six percent of respondents in the consumer survey wanted no change to existing privacy laws, with another 26% supporting only limited exceptions. Only 10% thought privacy should take a back seat to safety during the pandemic (See figure 2). In considering specific use cases, 57% were supportive of employers’ need for health information to keep their workplaces safe, but most other use cases were only supported by a minority of respondents. These included location tracking, contact tracing, relaxing medical restrictions, disclosing information about infected individuals, and using individual…