The “Benchmark Your Data Protection Controls” survey, conducted by BRYTER and Compliance Week, was administered by email and social media invitation between November and January. In total, 81 completed online submissions were selected for survey analysis.
About 80 percent of respondents worked at companies of 100 or more employees. Nearly half, at 45 percent, identified expressly as compliance practitioners of various ranks within their organizations. The most frequently occurring job titles were compliance manager (11 percent), compliance specialist (10 percent), and chief compliance officer (7 percent).
More than 40 percent of respondents said compliance held its own department within their organization. About 30 percent indicated compliance either sat within the legal department or as part of a combined legal/compliance function. Around 11 percent said compliance was embedded in the business.
Key survey findings
- Legal and compliance teams ranked data privacy and cybersecurity threats the No. 1 biggest risk entering 2022, ahead of remote working, changing regulatory landscapes, and adopting new technology.
- Only 20 percent of respondents were very confident their team had the right tools to effectively manage a data breach.
- Only 17 percent of respondents were very confident in the ability of internal clients to obtain the answers they need by finding company policies via an intranet.
- Only 27 percent were very confident their company was meeting mandates required by U.S. and international authorities to monitor and respond to evolving cybersecurity and data privacy issues.
Data privacy and cybersecurity threats loom large in 2022
It is no secret why data privacy compliance is top of mind for companies across industries: For every business leader who fears a data breach, there is another who’s experienced it.
Nearly half (47 percent) of compliance and legal professionals canvassed in the survey said their company experienced a data protection-related incident in the last decade. Around 40 percent also experienced a data breach via third party, supply chain, or business partner.
Legal and compliance teams ranked data privacy and cybersecurity threats the No. 1 biggest risk going into 2022, ahead of remote working, changing regulatory landscapes, and adopting new technology.
As companies look back at known data breaches and forward to the cyber risk and regulatory landscapes ahead, most have embraced the need to tech-enable business functions relating to data protection. Eighty percent of the compliance and legal professionals surveyed said technology was an important or key part of their strategy for managing data protection risk. Nearly everyone else said they would like it to be.
Introducing technology to reduce inefficiency—and risk
“Companies should and in some cases must use technology in order to tackle the many challenges they have. Why? Because data protection is risk prone. There is a measurable risk of getting fined for data protection infringements, and it’s also a high frequency and high touch business,” said BRYTER Co-Founder and Chief Commercial Officer Micha-Manuel Bues.
Many internal stakeholders touch data in their business functions and, in doing so, present added risk to the compliance/legal team, necessitating a lot of cross-departmental communication. Too frequently, legal/compliance teams spend an inordinate amount of time answering repetitive, relatively simple data protection-related queries from internal stakeholders.
“Legal/compliance sits in the middle. They deal with a lot of different departments with a lot of different needs,” explained Bues.
The majority of survey respondents, at 57 percent, said they spend a quarter or more of their time responding to frequently occurring issues or questions. Put another way, they spend more than one day a week on this task.
This inefficiency could point to the type of technology favored by employees. Notably, 78 percent of respondents said internal stakeholders use phone, email, and messaging communications to gain direct answers related to data protection. This traditional service delivery model is an unnecessary drain on the time of subject matter experts.
“There is an easier way to give [stakeholders] the same answers in a self-service approach,” said BRYTER Head of Business Consulting Josephine Hanschke. “The less touchpoints you have with a legal/compliance person who needs to spend active time on [a query], the more time you give back to those teams to do something that adds more value to the overall organization.”
Technologies like intranets and chatbots are self-service tools allowing stakeholders to find answers independently. About two-thirds of respondents (67 percent) indicated employees use their company’s intranet to find answers to their questions. That said, only 17 percent of respondents were very confident in the ability of internal clients to obtain the answers they need by finding company policies via an intranet.
Benchmark your data protection program
BRYTER Chief Executive and Co-Founder Michael Grupp interpreted these results alongside Mercer Chief Compliance Officer for the Americas Ann Chaglassian and cybersecurity professor Darren Hayes at Compliance Week’s virtual Cyber Risk and Data Privacy Summit on Feb. 15.
“Most people … would rather a ‘yes/no’ answer than 10 minutes of reading” on a company intranet, Grupp reasoned. Moreover, people are less confident about answers they find themselves; they prefer the reassurance of speaking to a subject matter expert directly, Grupp speculated. He proposed data protection policies on self-service tools should be “more user-friendly, digestible, and [written] with empathy from the consumer’s view. Maybe make it more interactive.”
To Grupp’s point, when survey takers were confronted with the statement, “Most employees understand their data protection and security obligations and know where to go to ask for help,” only a quarter strongly agreed.
Education: Taking a proactive approach to data protection
While intranets are crucial central repositories of company policies, Chaglassian posited the policies with the highest risk, such as those relating to data protection, must be highlighted, not buried.
“There are lots of ways to do that,” offered Chaglassian. She suggested monthly or quarterly newsletters and integrating data protection-related policies in training content. “There has to be a concerted effort to make these policies succinct. It’s not realistic to make [employees] read long policies.”
Nearly half of respondents (48 percent) agreed educating employees on data protection was the most important lever to pull to manage risk. Yet, at the same time, 42 percent of survey takers said their companies were not increasing training of employees and the wider business. Moreover, 48 percent also indicated their organizations eschewed the opportunity to track employees’ compliance with data protection policies via mandatory, business-wide training.
People admit it’s important to train, but still, they’re not doing it. Hanschke and Bues said this dissonance is explainable.
“We see this often because [ongoing business-wide training] is expensive, takes time, and maybe is not that pressing. Still, people know it’s the right thing,” said Bues.
“Companies understand it’s important that long-term training will make an impact in alleviating the risks they might otherwise find,” said Hanschke. However, “creating these ongoing learning strategies takes a lot of time, and I don’t think it’s an industry best practice yet,” she said.
Something training offers that reading legal/compliance policies might not is the opportunity to underscore best security practices, mentioned cyber expert Hayes during the Feb. 15 panel discussion.
“From experience, we know the most effective cybersecurity attacks happen around the Fourth of July or Thanksgiving, when there are less employees in the office, or on a Friday evening, when people are about to shut down for the weekend. … You’re not going to find those types of tips in a policy document,” Hayes pointed out.
All five experts seemed to agree: With data protection compliance, technology is key—it might even solve 50 percent of the problem—but the right ongoing training is essential. It may even be a prerequisite, along with several other tactics.
“Technology can definitely be helpful, but there are a few steps before that which need to be considered,” said Hanschke, who laid out the following preconditions:
- Have a team in place that will look at data privacy for the organization.
- Identify the main risk areas for the business.
- Put processes in place.
- Purchase technology that will help fast-track and streamline processes.
The difference between a reactive and proactive approach to data protection compliance is a company’s willingness to look at its biggest pain points, its maturity level, its business goals, and its ability to scale before making a strategic technological investment.