I created this cartoon to illustrate the fact that despite the increasing risk that privacy violations pose to an organization, many organizations are not increasing the funding and resources devoted to privacy. More work gets thrown onto the shoulders of under-resourced privacy departments.
It is time that the C-Suite (upper management) wakes up to the reality that privacy is a significant risk and an issue of great importance to the organization. Looming on the horizon is the enforcement of the new EU General Data Protection Regulation (GDPR), which will begin in 2018. It’s never too early for organizations to start preparing. GDPR imposes huge potential fines for non-compliant organizations — up to 4% of global turnover in many cases. For more information, see the FAQ page I created about the GDPR and privacy awareness training.
Of course, the C-Suite may be quick to say that privacy is very important, but what matters most are the actions they take. Privacy office budgets and sizes should be going up by a lot these days.
According to the survey, about two-thirds of directors are less than confident about their company’s cybersecurity. This finding is not surprising given the frequency of data breaches these days. There is a growing sense of exasperation, as if we are living in an age of a great plague, with bodies piling up in the streets.
Privacy and cybersecurity have become issues that should be addressed at the board level. No longer minor risks, privacy and cybersecurity have become existential issues. The costs and reputational harm of privacy and security incidents can be devastating.
Yet not enough boards are adequately engaged with these issues. According to a survey last year, 58% of members of boards of directors believed that they should be actively involved in cyber security. But only 14% of them stated that they were actively involved.