Accenture How Global Organizations
-
Upload
massimiliano-tarquini -
Category
Documents
-
view
221 -
download
0
Transcript of Accenture How Global Organizations
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 1/32
How Global OrganizationsApproach the Challenge
o Protecting Personal Data
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 2/32
Passing the Tipping Point 1
Finding 01There is a notable di erence between organizations’ intentions regarding dataprivacy and how they actually protect it, creating an uneven trust landscape 8
Finding 02A majority o organizations have lost sensitive personal in ormation, and among theseorganizations, the biggest causes are internal and there ore something they potentiallycould control
Finding 03 Compliance complacency is prevalent throughout the world 16
Finding 04Understanding the perspective on and approach to data privacy and protectionamong third parties with which an enterprise does business is crucial 18
Finding 05Organizations that exhibit a “culture o caring” with respect to data privacyand protection are ar less likely to experience security breaches 20
Addressing the Data Privacy and Protection Challenge: Key Actions and Practices 24
Contents
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 3/32
Passing theTipping Point
Data Privacy and Protection at the Tipping Poin
The volume o personal and o tensensitive data being collected andshared by organizations todayis growing exponentially—largelybecause o technology advances,lower data storage costs, the riseo the Internet and the emergenceo major data brokerage companies
However, as the amount o data anorganization generates and collectshas increased, so has the risk theorganization aces o losing data andexperiencing security breaches Indeed,many organizations around the worldhave had their data compromised and
have paid steep prices to repair thedamage, nes, share-price declinesand overall erosion o customer trust
There is no doubt that organizationstoday are generating more data thanever In act, according to research
rm IDC, despite the current economicdownturn, the volume o digital datagenerated in 2008 increased 3 percentmore than orecast and is expected todouble every 18 months1
Along with this increase in the volumeo data has come a substantial risein the potential or organizations toexperience incidents in which theirdata is compromised in some wayDisruptive technologies such asso tware-as-a-service (SaaS) and
cloud computing are one o the actorsSourcing IT solutions rom multiplecontent and service providers unlocksdata held in IT silos and disperses it
This increases risk by enablingcon dential enterprise data to crossorganizational boundaries, and thecloud itsel presents risks becauseorganizations have less direct controlover how data is managed Becausetheir core business is based on securestoring customers’ data, major cloudproviders have made progress in ITsecurity In act, many o them omore sophisticated end-to-end,base-level security and privacyprotection than might be oundin the data centers o any singleenterprise However, there are stillmany open issues, such as datacontrol and certi cation
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 4/32
2 Accenture
Lightweight systems integrationalso contributes to the challengeTaking advantage o Web 2 0-basedcollaboration tools, including “mash-ups” that combine disparate datastores in easy-to-use inter aces,can be an innovative way to improveproductivity Un ortunately, such userparticipation can lead to an increasein employees sharing sensitive enter-prise data—anytime, anywhere, viaany device In act, the portability o data (made possible by fash drives,CDs and other gadgets), coupled withthe ability to access data via mobiledevices (laptops and smart phones,
or example), make it increasinglyeasy or data to be lost, stolen orabused The security in a networkedand inter aced world is as weak asits weakest link
Un ortunately, while data privacyregulations continue to multiply,such regulations generally are notanchored on a common global standardWorse, they also have trouble keepingup with technology advances andbusiness practices that are dramaticallychanging how data is created, sharedand stored The result is a maze o regulations and privacy laws that areo ten intricate and complex at best,and at worst are costly and contradic-tory, or ail to properly addresschanging business models, global-data fows and technology advances
Beyond regulations, organizationsthemselves have not kept pace inseveral critical areas Many havetrouble ully understanding howand where data fows across theorganization, as well as establishingclear ownership and accountability
or such data
Furthermore, organizations o ten donot set clear expectations or employeesin the area o data privacy and, inmany cases, have technology in ra-structures that no longer providesu cient protection o sensitive data
The preceding shortcomings havemade organizations extremelyvulnerable to security breaches andmisuse o sensitive data Indeed,in the United States alone, morethan 263 million records containingsensitive personal in ormation havebeen involved in security breachessince January 2005 2 Such breaches
can have serious implications
Data privacy and protection shortcomings can do
irreparable harm to companies’ balance sheets, notto mention their brands, credibility and customertrust and relationships
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 5/32
Data Privacy and Protection at the Tipping Poin
Substantial nancial costs torespond to and remedy the breachAccording to the Ponemon Institute,the costs associated with a securitybreach have been rising year over year
Fines, regulatory en orcementand lawsuitsA number o organizations aroundthe world have su ered nes andlawsuits as a result o breaches theyexperienced For instance, U S -basedretailer TJ Maxx has set aside morethan $200 million to deal with potential
liability in the massive breach itexperienced in January 20073
Erosion o shareholder valuePublicly held companies experiencingbreaches o con dential in ormationtypically su er a 5 percent dropin stock price when such a breachis made public 4
Inability to conduct business or,in the most extreme case, a collapseo political and economic stabilityToday’s computing in rastructures(including networks, systems, applica-tions and data) are inextricably linkedto the success ul unctioning o government, society and the economy
Given the interconnected natureo commerce and geopolitics, i thesein rastructures are compromised, daily
operations will grind to a halt, creatinga ripple e ect across the globe
In short, data privacy and protectionshortcomings put organizations inthe dangerous position o no longerbeing able to assure customers thattheir data is sa e rom misuse andat risk o massive breaches that doirreparable damage to their balancesheets, brands and customer relation-ships The challenge is particularly acute
or multinational companies, whichoperate across multiple countries withtheir own privacy laws and culturalattitudes and are subject to a varietyo industry regulations
1 IDC White Paper sponsored by EMC,As the Economy Contracts The DigitalUniverse Expands, May 20092 http://www privacyrights org/ar/ChronDataBreaches htm3 http://www usatoday com/tech/techinvestor/industry/2008-04-02-tjx-data-breach_n htm4 “The Economic Cost o Publicly AnnouncedIn ormation Security Breaches: EmpiricalEvidence rom the Stock Market,” KatherineCampbell, Lawrence A Gordon, Martin P Loeb,and Lei Zhou,Journal of Computer Security ,
Vol 11, No 3, 2003, pp 431-448
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 6/32
4 Accenture
Accenture Research onData Privacy and Protection
Given the primacy o the issue,Accenture set out to shed light onthe current state o data privacyand protection by surveying businessleaders and individuals around theworld Our ndings rein orced thenotion that data privacy and protectionis becoming more di cult or organi-zations to address and that sensitivepersonal data increasingly is at risk
The objective o Accenture’s researchwas to understand how data privacyperceptions and practices around theglobe— rom both business leadersand individuals—in orm and infuencedata protection practices
Our research involved two globalsurveys In one survey, we polled5,500 business leaders in 19 countries(Figure 1) Fi ty-one percent o thoseparticipants were in managementpositions and 45 percent o themrepresented organizations with morethan $2 billion in annual revenue(Figure 2) The second survey weconducted involved more than 15,000adult-age individuals in the same19 countries (Figure 1)
It is important to note thatorganization size did not undulyinfuence our results In virtually
all cases, there was no substantivedi erence between how businessleaders representing smaller organiza-tions (those with ewer than 1,000people) responded and how those rommedium-size and large organizations(more than 75,000 employees)answered the questions The loneexception is that larger organizationswere ar more likely than smallerorganizations to report havingexperienced breaches
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 7/32
Data Privacy and Protection at the Tipping Poin
Figure 1Business respondents and individuals participating in the survey represented 19 countries around the world
Business Respondents
North America(10%)
Canada
United States
Europe (43%) Belgium
Italy
France
Germany
Netherlands
Russian Federation
Switzerland
United Kingdom
Asia (28%) Australia
Singapore
Korea
Japan
India
Hong Kong
Central/SouthAmerica (16%)
ArgentinaBrazil
Mexico
Individuals
North America(11%)
Canada
United States
Europe (43%) Belgium
Italy
France
Germany
Netherlands
Russian Federation
Switzerland
United Kingdom
Asia (32%) Australia
Singapore
Korea
Japan
India
Hong Kong
Central/SouthAmerica (16%)
ArgentinaBrazil
Mexico
Figure 2Annual revenues (or public sector equivalent) o organizations participating in the survey
22%
20%
15%
10%
23%
4%
$501 to 2 billion
$2 to 5 billion
$5 to 10 billion
$10 to 20 billion
Less than $100 million
$100 to 500 million
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 8/32
6 Accenture
Five key ndingsemerged romour research.
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 9/32
Data Privacy and Protection at the Tipping Poin
Finding 01
There is a notabledi erence betweenorganizations’intentions regardingdata privacy and howthey actually protectit, creating an uneventrust landscape
Finding 02
A majority o organizations havelost sensitive personalin ormation, andamong these organi-zations, the biggestcauses are internaland there ore some-thing they potentiallycould control
Finding 03
Compliance compla-cency is prevalentthroughout the world
Finding 04
Understanding theperspective on and
approach to dataprivacy and protectiono business partnersis crucial
Finding 05
Organizations that
exhibit a “culture o caring” with respectto data privacy andprotection are ar lesslikely to experiencesecurity breaches
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 10/32
8 Accenture
Finding 01
There is a notable di erence between organizations’intentions regarding data privacy and how theyactually protect it, creating an uneven trust landscape
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 11/32
Data Privacy and Protection at the Tipping Poin
Not surprisingly, data privacy andprotection is an issue o concern
or businesses as well as individuals
Approximately 70 percent o bothbusiness and individual respondentsstrongly agreed or agreed that organi-zations have an obligation to takereasonable steps to secure consumers’personal in ormation, disclose how theyuse consumers’ personal in ormationand deal with the rami cations i theylose consumers’ personal in ormation
However, beyond the preceding,our survey revealed some troubling
inconsistencies Between 40 and50 percent o the business respondentsin our survey:
Were unsure about or actively•
disagreed with granting individualsthe right to control the type o personal in ormation about themthat is collected and how thatin ormation is used
Did not believe it was important•
or very important to limit thecollection and sharing o sensitivepersonal in ormation, protectconsumer privacy rights, preventcross-border trans ers o personalin ormation to countries withinsu cient privacy laws andprevent cyber crimes againstconsumers and data loss or the t
Did not believe a range o typical•
organizational privacy practiceswere important or very important
(including notice, consent, access,redress, security, minimizationand accuracy)
There are several possible explanationsor this inconsistency, one o which
is industry di erences In some
industries, protection o consumers’data is paramount because o thetype o in ormation involved and thetrust consumers place in the institution(such as nancial services), whilein others, it is not viewed as criticalbecause the companies involveddo not have direct contacts withconsumers ( or instance, in a businessto business setting such as componentmanu acturers)
Cultural or regional di erences alsomay play a role Indeed, there are cleardi erences in how various cultures,countries and regions view the issueo privacy The issue is ar moreimportant in the United States andEuropean countries than in emergingmarkets and, thus, the ormer havemuch stronger regulations and lawsconcerning data and in ormationprivacy Such di erences can beexacerbated by the con usion createdby di erent regulatory approachesor even conficts o law For instance,businesses with systems located inor accessible rom the United Statesthat host personal data or Europeand Canada may struggle to determinehow to meet requirements o the U SPatriot Act (which gives the govern-ment the ability to request personaldata in the name o national security),the Canadian Personal In ormationProtection and Electronic DocumentsAct (which codi ed a series o privacyprinciples established in 1996 as anational standard or the collection,use and disclosure o personalin ormation), or any o the nationaldata privacy laws implementing theEuropean Union Data ProtectionDirective o 1995
In addition, a lack o a clear de nitioo accountability and responsibility
or data privacy and protection within
the organization is a contributingactor Many organizations do not
clearly de ne where the oversight odata privacy and protection lies Thealso may nd that the managementresponsibility and accountabilitycan be ragmented, with the Chie In ormation O cer, Chie In ormaSecurity O cer, Chie Privacy Oor the legal unction all having someinvolvement, depending on the speciaspect o data privacy and protection question For instance, the CIO couldresponsible or maintaining IT and dsecurity, the Privacy O cer or settipolicies and procedures and generalcounsel or ensuring the organizationis complying with regulations Furthmore, organizations o ten do a poor
job o assigning individual accountabito employees through appropriatepolicy education and training
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 12/32
10 Accenture
Organizations
Individuals
0%
Identity theft 26
2323
3422
2917
1917
12
6
137
11
7
9
3452
28
Diminished civil liberties or human rights
Malware or spyware infection
Stalking or spying
Unwanted e-mail (spam)
Internet marketing abuses
Cyber bullying
Revelation of secrets
Stolen assets
Government surveillance and censorship
10% 20% 30% 40% 50% 60%
*% Indicating issue is a top-three privacy concern
Organizations and individualsdi er on privacy concernsWe also ound there are some sub-stantial di erences in privacy concernsbetween individuals and businessesand government agencies, suggestingorganizations may not be ocusinge orts and investments in the areasabout which individuals care most(Figure 3)
While business and governmentrespondents were most likely to citeidentity the t (52 percent) as one o their most signi cant privacy concerns,individuals were most likely to selectrevelation o secrets and government
surveillance and censorship (eachwith 34 percent) These concernsamong individuals are likely heightenedin the wake o the post-9/11 push bygovernments to collect and share moreintelligence on citizens in an attemptto more e ectively root out threatsto national security
Interestingly, individuals’ attitudestoward privacy and in ormation sharingare highly dependent on the type o in ormation being shared and thesituation in which it is being shared—which can create challenges ororganizations that depend on certain
in ormation (such as speci c demo-graphic data or targeted marketing)
Individuals are most com ortable sharingwith governments and businesses typicalcontact in ormation—name, homeaddress, telephone number and gender(which are among the most likely typeso in ormation our business respondentsreported collecting)
Figure 3Individuals and organizations di er on privacy concerns
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 13/32
Data Privacy and Protection at the Tipping Point
43
39
35
35
29
27
23
14
6
3
Visiting healthcare provider
Voting in local or national elections
Traveling to other countries
Conducting bank transactions
Performing work-related activities
Filing tax, census or other government documents
Participating in online social networks, blogs or wikis
Performing Internet search or browsing
Paying outstanding bills
Making a credit-card purchase
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
Figure 4Individuals value privacy di erently depending on the situation
*% o individuals indicating privacy is most important when conducting this activity
Individuals are least willing to providetheir race or ethnic background andmedical history Perhaps not surprisingly,the largest percentage o individuals(43 percent) said privacy is mostimportant to them when visitinga healthcare provider (Figure 4)This nding is consistent with the
act that many laws now de nehealth-related data as sensitive andare providing additional sa eguards
or them
Individuals also are especiallyconcerned about maintaining theirprivacy when searching or browsing
the Internet They worry about theability o government and businessesto monitor their habits onlineand combine that in ormationwith other personal data to createpersonal pro les
Conversely, individuals are leastconcerned about their privacy whenparticipating in social networking,wikis and blogs—which are o ten theleast secure kind o interaction on theWeb This particular nding certainlyillustrates the shi t in mindset amongmany individuals in the past ve yearsin terms o what is considered “private”in ormation—a shi t that can createmajor challenges or employers whensetting and en orcing privacy policiesamong a work orce that now containsa substantial portion o the youngergeneration, who have distinctlydi erent views o what constitutessensitive or personal in ormation
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 14/32
12 Accenture
Finding 02
A majority o organizations have lost sensitivepersonal in ormation, and among these organizations,the biggest causes are internal and there ore some-thing they potentially could control This suggestsaccountability or and ownership o how sensitivedata is used may be lacking in many organizations
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 15/32
Data Privacy and Protection at the Tipping Point
Our survey revealed that securitybreaches are an ongoing challenge
or many organizations Fi ty-eight
percent o executives polled saidthey have lost sensitive personalin ormation, and or nearly 60 percento those who have had a breach, itwas not an isolated event ( Figure 5)
Larger organizations appear tostruggle more to prevent breaches thansmaller ones—likely because, with manymore employees and more geographicallydispersed operations, the opportunities
or data to be lost or compromised
are greater Indeed, just under 70 percento organizations with more than 75,000employees have experienced a loss o sensitive personal in ormation, comparedwith 40 percent o organizations with
ewer than 500 people (Figure 6)
Individuals themselves are somewhatskeptical that organizations are doingenough to prevent such breaches,as 42 percent said they either are notsure or do not believe that companies
and government agencies are adequatelyprotecting personally identi able datathey have shared with these organizations
Healthcare providers were named bythe largest percentage o individualsas the type o organization most likelyto protect in ormation (44 percent),
ollowed by the individuals’ ownemployers (39 percent) Interestingly,only 14 percent said governmentagencies are most likely to protect
personally identi able in ormation(Figure 7)—a nding that, again, seemsto rein orce individuals’ unease withthe steps governments have taken in
the post-9/11 era to enhance nationalsecurity, as well as the increase inwell-publicized data breaches by
government agencies in the past yearInternal issues—employees(48 percent) and business or system
ailure (57 percent)—were citedmost o ten as the source o thebreaches (Figure 8)—a nding thatis in stark contrast to common perceptionthat external orces are the biggestthreats to privacy and securityHowever, this result is consistentwith reports o major breaches,
many o which were caused notby malicious external hacking butby simple error or negligence byan organization’s employees
Indeed, a study by Cisco Systemsound that two-thirds o end users
in organizations have done one or moreactivities that could compromisecorporate IT security, such as steppingaway rom their computer withoutlogging o or shutting down, leaving
their computer on their desk overnight,or carrying corporate data on portable-storage devices outside o the o ce6
6 “Security Thought Leadership: Data LeakageStudy,” Cisco Systems, August 2008
b I yes, how o ten has this occurredin the past 24 months?
1 or 2 times
3 to 5 times
More than 5 times
Can’t recall
Only once
26%
15%
16% 12%
31%
Figure 5A majority o organizations haveexperienced a security breach—andmany have more than once
a Did your organization ever losesensitive personal in ormation?
10%
58%
31%
No
Can’t recall
Yes
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 16/32
14 Accenture
Figure 6Larger organizations are more likely than smaller organizations to have lost sensitive personal data
>75,000
Number of employees
Percentage that lost sensitive data
500 – 1,000
500<
25,001 – 75,000
5,001 – 25,000
1,001 – 5,000
0% 10% 20% 30% 40% 50% 60% 70%
68
67
61
58
49
40
Figure 8Internal issues are the most requent causes o security breaches
System or technical glitches
Negligent or incompetent employees
Business-process failures
Cyber crime
Malicious employees
Negligent or incompetenttemporary employees or contractors
0% 5% 10% 15% 20% 25% 30% 35% 40%
35
24
22
18
13
11
Figure 7Individuals believe healthcare providers are most likely to protect in ormation
Healthcare providers
Organization that employs you
Banking institutions
Police
Religious organizations
Government
Telephone services
Retailers (stores you shop at)
Postal service
Internet service provider
44
39
30
21
19
14
14
13
13
9
0% 5% 10% 15% 20% 25% 30% 35% 40% 45%
*% o individuals indicating organization types most likely to protect personally identi able in ormation
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 17/32
Data Privacy and Protection at the Tipping Point
Why are the biggest threats comingrom inside the organization?
In our experience, there are several
potential reasons.One o most common reasons is alack o adequate policies and trainingprograms A prevalence o breachesbeing caused by negligent or carelessemployees suggests the organizationhas not done a good enough job o developing and communicating strongpolicies or how sensitive data shouldbe handled Indeed, only 56 percento organizations surveyed said itwas important or very important tohave a policy about their privacypractices Furthermore, breaches mayindicate there are shortcomings inthe privacy- and security-relatedaspects o organizations’ employee-training programs
Lack o adequate controls also canresult in recurring breaches In manyorganizations, employees simply havetoo much access to sensitive dataFor instance, nearly hal o the organi-zations in our survey said limiting thecollection and sharing o sensitivepersonal in ormation was either onlysometimes important, not importantor irrelevant Furthermore, approxi-mately the same percentage believeit is either only sometimes important,not important or irrelevant to limitdata collection to only that which isneeded to ul ll legitimate businessneeds, or to adequately protectand secure individuals’ or customers’personal in ormation And, perhapsmost tellingly, just 19 percent o busi-nesses said it is never acceptable tosell personal in ormation or pro t
Many organizations also typically donot have a ull understanding o datafows across the organization As the
amount o sensitive data an organiza-tion collects increases, it is o tendi cult to keep up with all the areas inwhich such data is generated, collected,stored and used For instance, aboutthree in 10 business respondents saidthey either did not know or wereunsure o where personal in ormationabout customers and employees resideswithin their organization’s ITenterprise
Beyond people and organization issues,shortcomings in organizations’ dataprivacy and protection technologiescan result in data being compromisedHuman error is inevitable Yet organi-zations are not doing enough toimplement technical tools that preventemployees rom taking an action thatwill compromise an organization’sdata security
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 18/32
16 Accenture
Finding 03
Compliance complacency is prevalent around theworld Indeed, many organizations believe simplycomplying with existing regulations is su cientto protect their data However, such a mindset isill-advised given the act that regulations generallyare not su ciently sophisticated or today’s businessenvironment, nor are they consistent or equally
applied across industries and countries
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 19/32
Data Privacy and Protection at the Tipping Point
Despite the act that nearly60 percent o organizations indicatedit is important or very important
to avoid regulatory and complianceviolations, and just below 70 percentsaid they regularly monitor privacyand data protection regulatory-compliance requirements, breachesstill have occurred in 58 percento organizations polled Even moreintriguing is the act that more than66 percent o businesses in Europe,where privacy regulations aremost stringent, admit having hada data breach incident in the past24 months, and just under hal o these organizations have had twoor more data breach incidents
The act is, the current spectrum o regulations simply are not sophisticatedenough to be able to account or allpossible problems that could emergegiven the rapidly increasing volume o data that organizations collect and thecomplexity inherent in how such datais accessed and used by organizations
Making matters worse is the actthat there are no common or consistentstandards or dealing with dataprivacy and protection rom countryto country or even within individualcountries For example, in the UnitedStates alone, there are 49 di erentstate laws that regulate noti cationo security breaches, as well asseparate laws that govern the useo various types o data (such as
nancial and health data) How doesan organization know which appliesand, more importantly, create andimplement the internal controls thatenable it to comply with all o them?
Another example demonstrateshow regulations vary by industryIn the United States, the Payment Card
Industry (PCI) Data Security Standard,Health Insurance Portability andAccountability Act (HIPPA), and theGramm-Leach-Bliley Act (GLBA) allwere created with the same goal inmind: to protect sensitive dataHowever, they ocus only on speci cdata elements The PCI standard, orinstance, is only concerned with acredit-card holder’s primary-accountnumber, while HIPPA is designed tosa eguard personal health in ormationand GLBA ocuses on protectingconsumers’ nancial in ormation
Organizations that believe being incompliance with existing regulationsis su cient are not doing enough toproactively protect data and improvetheir overall security posture
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 20/32
18 Accenture
Finding 04
Understanding the perspective on and approachto data privacy and protection among third partieswith which an enterprise does business is crucialOrganizations should “choose care ully the companythey keep ”
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 21/32
Data Privacy and Protection at the Tipping Point
According to our survey, 55 percento organizations outsource thecollection or processing o personal
in ormation about customers to a thirdparty (Figure 9) Data must be kept inthe sa est hands possible, and there oretrust and con dence in outsourcingproviders is absolutely crucial
Organizations must understand notonly the provider’s own data privacyand protection program to ensure itmeets (or better yet, even exceeds) theirown e orts, but also its knowledge o and experience with managing data
within and across national boundariesFor instance, Accenture operatesa comprehensive global client dataprotection program that providesa standardized, consistent approachto protecting clients’ data Thisprogram covers all critical elementso data privacy and protection,including employee training, regularmonitoring and auditing, oversight,appropriate responses in case o a
breach, en orcement and disciplineor inappropriate actions, and compre-hensive protective measures to preventbreaches The program refects the
act that Accenture views sa eguardingclient in ormation as one o its most
undamental and important responsi-bilities, and essential to maintainingthe trust that orms the cornerstoneo its client relationships
Figure 9A slight majority o organizations outsourcethe collection or processing o personalin ormation about customers to a third party
No
Unsure
Yes
6%
55%
40%
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 22/32
20 Accenture
Finding 05
Organizations that exhibit a “culture o caring”with respect to data privacy and protection are arless likely to experience security breaches Suchorganizations tend to view themselves as stewards,not owners, o personal data and take actions toprotect data entrusted to them
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 23/32
Data Privacy and Protection at the Tipping Point
As mentioned earlier, 58 percent o organizations experienced at least onesecurity breach in the past two years
while 31 percent did not And in act,21 percent o organizations actuallyhad two or more breaches, suggestingserious security shortcomings in someareas o those businesses Recurringbreaches were just as likely to occurin large organizations as they were insmaller enterprises
When we compared the group thathad no breaches with the group thathad two or more incidents, we ound
the ormer group demonstrates somesubstantial di erences rom the latterin terms o their attitudes and policiesregarding data privacy and protection,as well as in what they thought wereacceptable uses o personal dataIn general, our analysis indicates thatthose organizations with no breachesseem to exhibit an overall “culture o caring” with regard to sensitive dataand a mindset that they are not ownerso such data but, rather, stewards o that data and it is their responsibilityto protect and sa eguard it
AttitudesOrganizations with no breaches weremore likely than those with two ormore to believe individuals own theirpersonal in ormation and the enterpriseis responsible or managing andprotecting it
As noted in Figure 10, the ormertended to believe individuals havesubstantial rights to manage, correctand control in ormation collectedabout them and to understand howsuch in ormation is being usedAdditionally, the “no breach” groupwere more likely to eel a strongerobligation to uphold data privacy andprotection— or instance, by takingreasonable steps to secure individuals’personal in ormation, control whohas access to such in ormation,disclose to individuals how theirpersonal in ormation is used, andhelp them i the organization losestheir personal in ormation
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 24/32
22 Accenture
Figure 11Policies. Organizations with no breaches tend to have policies that value the protection o sensitive dataand how such data is used
No Breach
Two or More Breaches
0% 10% 20% 30%
5159
4353
48
49
55
56
59
66
71
75
40% 50% 60% 70% 80%
Ensure data collected and used is accurate, not falseor misleading (Accuracy)
Limit data collection to only that which is needed tofulfill legitimate business needs (Minimization)
Give consumers or customers the ability to view andedit information collected about them (Access)
Have a policy about their privacy practices (Disclosure)
Regularly monitor privacy and data protectionregulatory-compliance requirements
Know where personal information on customers andemployees resides within the organization’s IT enterprise
Figure 10Attitudes . Organizations with no breaches were more likely than those with two or more to believeindividuals own their personal in ormation and the enterprise is responsible or managing and protecting it
No Breach
Two or More Breaches
Organizations have an obligation toindividuals if they lose their personal information
Organizations have an obligation toindividuals how their personal information is used
Organizations have an obligation to control whohas access to individuals’ personal information
Organizations have an obligation to take reasonablesteps to secure individuals’ personal information
Individuals have a right to change incorrectinformation collected and used by organizations
Individuals have a right to access and review theirpersonal information collected and used by organizations
Individuals have a right to control how theirpersonal information is used
Individuals have a right to control informationcollected about them and their family
0%
58
62
60
43
44
45
51
52
52
4350
73
72
72
6072
10% 20% 30% 40% 50% 60% 70% 80%
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 25/32
Data Privacy and Protection at the Tipping Point
PoliciesOrganizations with no breachestend to have policies that value theprotection o personal data andhow such data is used
For instance, no-breach organizationsare more likely to know where personalin ormation on customers and employeesresides within the organization’s ITenterprise This understanding enablesthese organizations to more e ectivelyprotect data across the enterpriseFurthermore, organizations with nobreaches are more likely to regularlymonitor privacy and data protectionregulatory-compliance requirementsAnd, organizations with no breachesare more likely than those with twoor more to consider a number o data privacy and protection practicesimportant or very important (Figure 11)
UsesOrganizations with no breaches aremore likely than those with two ormore to take a stricter line in termso what they think are appropriateuses o personal in ormation
Both groups largely agree that it isacceptable to use personal in ormationto identi y and authenticate customersand or research and product develop-ment, as well to share such in ormationwith law en orcement personnel or
raud prevention and the governmentor national security purposes
However, the groups di er substantiain their opinions on using personalin ormation in other ways The grouwith two or more breaches is morelikely to believe it always is acceptabto use such in ormation or targetedmarketing and promotions and tosell personal in ormation or pro t(Figure 12)
Figure 12Uses. Organizations with no breaches are more likely than those with two or more to take a stricter line in termso what they think are appropriate uses o personal in ormation
No Breach
Two or More Breaches
4732
4630
0% 10% 20% 30% 40% 50%
Say it is always acceptable to sell personal informationfor profit
Believe it is always acceptable to use suchinformation for targeted marketing and promotions
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 26/32
Addressing the Data Privacy and Protection Challenge Key Actions and Practices
24 Accenture
It is clear that organizations todayhave an urgent need to take a moreproactive approach to data privacyand protection to not only minimizethe risk o regulatory violations andmajor nes or non-compliance, butalso to avoid experiencing breacheso sensitive personal data that canalienate customers, erode customers’trust and destroy the organization’sbrand and credibility
With data privacy and protection nowa major challenge or all organizations,it is time or the issue to receive moreserious attention among not only senior
executives, but also all employees Thendings o our research, as well as
our work with leading organizationsaround the world, suggest a number o actions organizations should take toimprove their ability to secure sensitivedata, and proactively combat threatsand position themselves to achievehigh per ormance
At a broad industry level, organizationsmust undertake two critical initiatives—the rst o which is reexaminingtheir data protection and compliance
ramework In most industries, notenough work has been done to ensurethat data protection and compliance
rameworks have kept pace withhow, and how quickly, data is gener-ated, collected and shared Thedata protection ramework shouldaddress data protection at a holisticlevel and avoid addressing regulatorycompliance in a silo Such a rameworknot only can reduce overall compliancecosts, but also improve an organiza-tion’s overall posture or data privacyand protection
Secondly, organizations should createa common set o data privacy andprotection standards that can beapplied consistently rom country tocountry to minimize complexity, costo compliance and chances or breacheswhile, at the same time, enablingresponsible data sharing and globaldata fows A global standard mustrecognize the data privacy andprotection ecosystem and assignaccountability appropriately acrosskey stakeholders: organizations,individuals and regulators Each hasa role in protecting data and privacyrights The standard should provideprescriptive guidance on what datamust be protected, what the mainrequirements or data collectionand use are, the rules or access tosensitive data, and how to protectthe sensitive data based on datasensitivity and classi cation
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 27/32
Data Privacy and Protection at the Tipping Point
Microso t has been a leader in urginglawmakers to give data privacy andsecurity a higher priority “On the
legal ront, we at Microso t believethe United States needs an all-inclusive,uni orm privacy law that will giveconsumers more control over theirpersonal data and more reason orcon dence in providing in ormationto legitimate businesses and otherorganizations,” the company stated“With the fow o in ormationbecoming increasingly global, we alsosee a growing need to align U S lawwith current and emerging privacystandards in the rest o the world ”7
At an individual organization level,organizations should emulate theleaders in our survey by creating a“culture o caring” with regard todata privacy and protection There area number o tangible steps organiza-tions can take and practices theycan employ to begin creating sucha culture to help sa eguard sensitiveindividual in ormation
Assigning ownership o andaccountability or data privacyand protection through a datagovernance program.Organizations that want to createa culture o caring and become goodstewards o individuals’ sensitivedata should assign executive responsi-bility and oversight or data privacyand data protection, and put in place
a data governance program thatintegrates the processes, people andtechnology needed to manage datae ectively and e ciently It beginswith a custom model consisting o de ned roles and responsibilities
or data owners and data stewards
Bringing together those people andunctions can help an organization
create a comprehensive and coordinated
approach to protection and privacy(as well as to the management o in ormation overall) In some cases,it may make sense to establish adata privacy and protection council—comprising stakeholders, data ownersand data stewards rom across thebusiness—that is responsible andaccountable or overseeing howsensitive data is managed and used,as well as or the continuousimprovement o the organization’ssecurity posture Such a coordinated,cross- unctional approach helps torein orce the act that data privacyand protection is the responsibility o everyone in the organization, and toweave awareness o the issue into the
abric o the organizational culture
Sun Microsystems, General Electricand Intel all have ormally extendedthe remit o their privacy o cer’srole to in ormation governance and/ordata security to ensure a holisticapproach to in ormation managementand protection And Procter & Gamblehas committed to ollowing dataprivacy policies based on six undamentaltenets: global consistency o principles,local fexibility in implementation,accountability o data owners, privacyacross the extended enterprise, choiceand access to the individual and acommunity approach to privacy issues8
Creating an in ormation strategythat enables the organization toidenti y, track and control how
data fows across all areas o anorganization’s systems and processesBy taking a holistic approach toin ormation management, an organiztion will be able to manage theentire in ormation li e cycle, clearlydelineating how data is collected,stored, managed and used (includingwho is allowed to access and usewhich data)
To implement such a program, an
organization rst should conductan enterprise-wide evaluation o itssystems and processes to identi yall fows o sensitive data With suchintelligence in hand, the organizationcan put in place the mechanism oran ongoing evaluation o the legitimaco various uses o sensitive data withall business processes to limit thecollection and storage o suchdata, as well as an ongoing regularreview o all business processes thatinvolve sensitive data to identi ythe creation o any new sources o data and new data fows that couldbe compromised i le t unprotected
Procter & Gamble, o ten cited as aleader in data privacy, is committedto understanding where its dataresides The company has identi edand monitors data repositories withinthe organization that contain personaldata on individuals in 14 categories 9
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 28/32
26 Accenture
One o the ways to keep tabs on newsources o potentially sensitive datais to conduct a Data Privacy Impact
Assessment or new systems andprocesses that collect and use personaldata Such an assessment has longbeen endorsed by privacy regulatorsin Europe and North America, andrecently it has become a requirement
or all US ederal departments andthe UK government departmentsMany companies, too—includingAccenture, Google and Acxiom—usethe method to evaluate new businessprocesses, o erings and services andensure that data privacy is addressed
rom the very beginning
Evaluating their current dataprivacy and protection technologiesto con rm they are providingthe necessary level o protection.Because computer incident-responsetechnologies are not generating adequateinsights rom prior breaches—thusimpairing proactive risk management—
organizations should reevaluate theirinstalled base o such tools andconsider enhancing or replacing themImplementing the right technologywill help an organization managein ormation e ectively and supportits security, governance, and in ormationmanagement goals More importantly,because technology alone does notprevent potential in ormation loss, itmust work in concert with the agreed-upon data governance ramework
and standards, as well as the datagovernance council
Companies such as Microso t andIntel have sought to help companiesaddress this issue by embedding data
privacy in their product and technologydevelopment to ensure new technologiesand products are better equipped tocomply with data privacy and datasecurity requirements
Procter & Gamble has been a pioneerin using technology to support itsdata privacy e orts The companywas among the rst to adopt privacy-monitoring so tware worldwide tohelp the organization comply with
the patchwork o laws governingin ormation rom country to countryAmong the technology installed areonline monitoring tools that automati-cally check P&G’s consumer websites
or compliance with countries’ lawsrelating to cookie regulation, opt-inmarketing and advertising to childrenSuch so tware enables P&G’s dataprivacy team to keep tabs on hundredso its websites and, by catalogingonline content, substantially cutthe time necessary to nd potentialvulnerabilities10
Building a consistent level o awareness o the importance o dataprivacy and protection among thework orce and providing employeeswith the appropriate guidance orhow to handle sensitive data.It is increasingly important ororganizations to create more compre-hensive and robust employee-educationand training programs that promotea consistent and common understandingo data privacy and protection policiesand procedures and give speci cguidance on how to adhere to them
However, to create a true cultureo caring, an organization must domore than train employees to raise
their awareness o the importanceo data privacy and protection to boththe organization and its customersThey need to motivate employees totake these requirements very seriouslyby explaining the consequences o abreach or the organization, its mission,its customers and its employees
Procter & Gamble, General Electricand Accenture are among thosethat have well-established employee-
training and communication plat ormsthat go beyond pure training on dataprivacy and security policies by seekingto establish a culture o responsible useand sharing o in ormation (includingthe use o social networking and otherWeb 2 0 technologies)
Reexamining their data privacy andprotection investments.Few organizations have a trueenterprise view o their investmentsin security—a situation that not onlyprevents them rom understandingthe true cost o security, but alsomakes it di cult or them to reallocateinvestments as necessary to areas o high priority
An organization should have abalanced investment when it comesto data privacy and protection Theinvestment strategy should not be
ocused on technology alone, butshould consider all key aspects o theissue: people (the appropriate trainingand awareness-building programs);process (process improvement that
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 29/32
Data Privacy and Protection at the Tipping Point
limits the collection and storage o sensitive data to minimize the exposureo sensitive data and overall scope o
compliance); and technology (imple-menting or enhancing the appropriatedata protection controls)
Additionally, any data protectionand privacy initiative should beimplemented in phases Such anapproach enables an organizationto spread the implementationcost over time and allow the imple-mented controls and processesto become mature, repeatable
and optimizedA growing number o globalorganizations—including Accenture,General Electric, Phillips and BritishPetroleum are developing andimplementing comprehensive dataprivacy compliance programs that aremandatory, are implemented uni ormlyacross their global organizations andprovide a high level o privacy andprotection or personal data on their
employees, customers and websiteusers These so-called BindingCorporate Rules (BCR) enable theseorganizations not only to share dataacross their global operations andprocesses, but to embed, manage andmeasure data privacy compliancee ectively in all areas
General Electric, in act, was recognizedby the International Association o Privacy Pro essionals (IAPP) or the
progress it has made in implementingBinding Corporate Rules GE won theIAPP Privacy Innovation Award in2006 or being the rst company inthe world to “pursue a BCR policy thatassures employees that their data willbe handled using the highest and bestpractices no matter where in the worldthe employee or the data is located ”11 The company’s BRC model is the basis
or GE’s relationship with its 350,000global employees and is communicatedin 27 languages
In the public-sector arena,many government agencies thatare putting more in ormation ando ering more services online areimplementing a process to reviewtechnology investments to ensureboth employee and taxpayerin ormation are adequately secured
Choosing business partnerswith care.Organizations should collaborate withbusiness partners that take equal orgreater care with data, and rigorouslyassess partners’ knowledge, practicesand experience in managing sensitivedata across organizational and nationalboundaries in accordance with localprivacy laws and industry regulationsOrganizations must be vigilant whenit comes to con rming the security
posture o the companies with whichthey do business, especially as businesstakes them to countries with di eringstandards or data privacy and protection
Awareness o suppliers’ and otherbusiness partners’ security practices—including understanding the country’s
data protection regulations underwhich the organization operates andstrictly monitoring how and whentheir data is used by providers andwhere such data is sent—is criticalto veri y proper practices are in placeto protect sensitive data Organizatioalso should ensure that providers’, aswell as their own, responsibility andaccountability are clearly understood
Microso t is one o a number o lead
organizations that have developedvendor-management programs toenable them to embed data privacyconsiderations and requirements inthe procurement process and duringdelivery Such companies also haveimplemented auditing processes totest the providers’ security practices
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 30/32
28 Accenture
Having ormal incident responsepolicies, procedures and teams.Despite the best intentions, incidentsdo happen And when they do, itis critical or organizations to havea pre-de ned and tested incident-response plan that enables theorganization to quickly respond toand address the situation to minimizepotential damage the breach cancause Organizations should have
ormal policies and procedures orhow to deal with breaches, as well asidenti ed incident-response teams(representing all required unctionalareas) that mobilize when a breach isdetected Also vital to the post-incidentresponse process is a de nition o metrics that are important or theorganization to track—such as typeo incident (virus, malware or inappro-priate sites accessed, or instance),
requency o incidents and cost to theenterprise And, organizations shouldensure that the ndings o the responseteam investigating a breach are
reviewed with stakeholders outsideo the core-security team
Incident response can be especiallychallenging in global organizations,where o ces o ten address local
incidents on their own without theinvolvement o the corporate entity’sdata security team Such a localizedresponse can result in the situationspreading to other areas o theorganization as well as a ailure o thebroader enterprise to learn rom theincident and make necessary changesto the rest o the organization to helpstem such breaches rom occurring inthe uture To help avoid such discon-nects, organizations should more tightlyintegrate their processes governing thereporting o and response to incidences
7 “Microso t Lobbying or Data Privacy Laws,”Joe Lewis,WebProNews , March 21, 2007, http://www webpronews com/topnews/2007/03/21/microso t-lobbying- or-data-privacy-laws8 “12 Questions Every GC Should Ask,” CorporateExecutive Board, 2007, http://74 125 95 132/search?q=cache:NFvwH3dmBEcJ:https://gcrexecutiveboard com/Members/12Questions/9
“12 Questions Every GC Should Ask,” CorporateExecutive Board, 2007, http://74 125 95 132/search?q=cache:NFvwH3dmBEcJ:https://gcrexecutiveboard com/Members/12Questions/10 “P&G Privacy Plan Tackles Data Laws,”Daniel Thomas,Computing , December 2, 2004,http://www computing co uk/computing/news/2071314/g-privacy-plan-tackles-laws11 “The IAPP Announces Winners o the IAPPPrivacy Innovation Awards,” organization newsrelease, October 24, 2006, https://wwwprivacyassociation org/index php?option=com_content&task=view&id=967&Itemid=116
Making Data Privacyand Protection a
Core Business ValueAs personal and sensitive datacontinue to be generated in ever-greater volumes, it is imperative thatorganizations take greater stridesto protect this important asset—andnot just because the laws say theyshould Indeed, as our research shows,compliance should be only one parto a much larger and comprehensiveapproach to data privacy and protection
More importantly, an organization’sapproach to data privacy and protectionmust not only be legally compliant,but also be a central element o theorganization’s value proposition Andbecause o the global nature o datafows today and the act that manycountries don’t view the issue in thesame way, the most e ective dataprivacy and protection programs areglobally reaching
Organizations that view the issueo data privacy and protection as aC-suite concern and make it a coreprinciple that guides their businesswill reap the bene ts o lower risko nes and en orcement action;a consistently high level o protectionregardless o where in the worldsensitive data is generated, stored,accessed or used; and a strongerbrand and reputation that helps attract
and retain customers In other words,a superior approach to sa eguardingsensitive data—one that positionsdata privacy and protection as a corecorporate value—can be a distinctivecapability that can help drive highper ormance in a dynamic andunpredictable global economy
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 31/32
Data Privacy and Protection at the Tipping Point
For more in ormation about ourData Privacy and Protection services,visit accenture.com/dataprivacy
Global Security leadAlastair MacWillsonalastair macwillson@accenture com+44 20 7844 6131
Global Data Privacy and Protection leadPaul O’Rourkep orourke@accenture com+61 3 98387488
Chie Risk O cerBPO and Technology Growth PlatformJohn B. McCormick
john b mccormick@accenture com+1 312 693 2589
Geographic Data Privacy andProtection leads
Austria, Switzerland and Germany
Mario Knop mario knop@accenture com+49 175 57 61046
CanadaAndy Truscott andrew j truscott@accenture com+1 416 641 4114
Benelux and FranceFrederic Peters
rederic peters@accenture com+33 1 565 27 080
Italy, Greece and Emerging MarketsEnrico Palme enrico palme@accenture com+39 06 595 61111
NordicsGaute Lien gaute lien@accenture com+47 991 191 60
Australia, Singapore, Malaysiaand South KoreaTroy Braban troy braban@accenture com+61 3 983 87 555
Spain and PortugalJavier Martin
javier martin@accenture com+34 91 546 9630
United StatesDavid Kuo david kuo@accenture com+1 415 537 5094
United Kingdom and IrelandTheresa Pa Theresa pa@accenture com+44 20 7844 8432
Contact
8/6/2019 Accenture How Global Organizations
http://slidepdf.com/reader/full/accenture-how-global-organizations 32/32
Copyright © 2009 AccentureAll rights reserved
Accenture, its logo, andHigh Per ormance Deliveredare trademarks o Accenture
About AccentureAccenture is a global managementconsulting, technology services andoutsourcing company Combiningunparalleled experience, comprehensivecapabilities across all industries andbusiness unctions, and extensiveresearch on the world’s most success ulcompanies, Accenture collaborates withclients to help them become high-per ormance businesses and govern-ments With approximately 177,000people serving clients in more than 120countries, the company generated netrevenues o US$21 58 billion or the
scal year ended Aug 31, 2009 Itshome page is www accenture com
About Ponemon Institute LLCPonemon Institute conductsindependent research on consumertrust, privacy, data protection and
emerging data-security technologiesTheir goal is to enable organizationsin both the private and public sectorsto have a clearer understanding o the trends in practices, perceptionsand potential threats that will a ectthe collection, management andsa eguarding o personal and con den-tial in ormation about individualsand organizations Ponemon Instituteresearch in orms organizations on howto improve upon their data protectioninitiatives and enhance their brandand reputation as a trusted enterprise
As a member o the Councilo American Survey ResearchOrganizations (CASRO) PonemonInstitute upholds strict data
con dentiality, privacy and ethicalresearch standards They do notcollect any personally identi ablein ormation rom individuals orcompany identi able in ormationin our business research Furthermore,they have strict quality standardsto ensure that subjects are not askedextraneous, irrelevant or improperquestions For more in ormation,visit www ponemon org
15 percent total recycled ber