Accenture How Global Organizations

8/6/2019 Accenture How Global Organizations

http://slidepdf.com/reader/full/accenture-how-global-organizations 1/32

How Global OrganizationsApproach the Challenge

o Protecting Personal Data



Passing the Tipping Point 1

Finding 01There is a notable di erence between organizations’ intentions regarding dataprivacy and how they actually protect it, creating an uneven trust landscape 8

Finding 02A majority o organizations have lost sensitive personal in ormation, and among theseorganizations, the biggest causes are internal and there ore something they potentiallycould control

Finding 03 Compliance complacency is prevalent throughout the world 16

Finding 04Understanding the perspective on and approach to data privacy and protectionamong third parties with which an enterprise does business is crucial 18

Finding 05Organizations that exhibit a “culture o caring” with respect to data privacyand protection are ar less likely to experience security breaches 20

Addressing the Data Privacy and Protection Challenge: Key Actions and Practices 24

Contents



Passing theTipping Point

Data Privacy and Protection at the Tipping Poin

The volume o personal and o tensensitive data being collected andshared by organizations todayis growing exponentially—largelybecause o technology advances,lower data storage costs, the riseo the Internet and the emergenceo major data brokerage companies

However, as the amount o data anorganization generates and collectshas increased, so has the risk theorganization aces o losing data andexperiencing security breaches Indeed,many organizations around the worldhave had their data compromised and

have paid steep prices to repair thedamage, nes, share-price declinesand overall erosion o customer trust

There is no doubt that organizationstoday are generating more data thanever In act, according to research

rm IDC, despite the current economicdownturn, the volume o digital datagenerated in 2008 increased 3 percentmore than orecast and is expected todouble every 18 months1

Along with this increase in the volumeo data has come a substantial risein the potential or organizations toexperience incidents in which theirdata is compromised in some wayDisruptive technologies such asso tware-as-a-service (SaaS) and

cloud computing are one o the actorsSourcing IT solutions rom multiplecontent and service providers unlocksdata held in IT silos and disperses it

This increases risk by enablingcon dential enterprise data to crossorganizational boundaries, and thecloud itsel presents risks becauseorganizations have less direct controlover how data is managed Becausetheir core business is based on securestoring customers’ data, major cloudproviders have made progress in ITsecurity In act, many o them omore sophisticated end-to-end,base-level security and privacyprotection than might be oundin the data centers o any singleenterprise However, there are stillmany open issues, such as datacontrol and certi cation



2 Accenture

Lightweight systems integrationalso contributes to the challengeTaking advantage o Web 2 0-basedcollaboration tools, including “mash-ups” that combine disparate datastores in easy-to-use inter aces,can be an innovative way to improveproductivity Un ortunately, such userparticipation can lead to an increasein employees sharing sensitive enter-prise data—anytime, anywhere, viaany device In act, the portability o data (made possible by fash drives,CDs and other gadgets), coupled withthe ability to access data via mobiledevices (laptops and smart phones,

or example), make it increasinglyeasy or data to be lost, stolen orabused The security in a networkedand inter aced world is as weak asits weakest link

Un ortunately, while data privacyregulations continue to multiply,such regulations generally are notanchored on a common global standardWorse, they also have trouble keepingup with technology advances andbusiness practices that are dramaticallychanging how data is created, sharedand stored The result is a maze o regulations and privacy laws that areo ten intricate and complex at best,and at worst are costly and contradic-tory, or ail to properly addresschanging business models, global-data fows and technology advances

Beyond regulations, organizationsthemselves have not kept pace inseveral critical areas Many havetrouble ully understanding howand where data fows across theorganization, as well as establishingclear ownership and accountability

or such data

Furthermore, organizations o ten donot set clear expectations or employeesin the area o data privacy and, inmany cases, have technology in ra-structures that no longer providesu cient protection o sensitive data

The preceding shortcomings havemade organizations extremelyvulnerable to security breaches andmisuse o sensitive data Indeed,in the United States alone, morethan 263 million records containingsensitive personal in ormation havebeen involved in security breachessince January 2005 2 Such breaches

can have serious implications

Data privacy and protection shortcomings can do

irreparable harm to companies’ balance sheets, notto mention their brands, credibility and customertrust and relationships




Substantial nancial costs torespond to and remedy the breachAccording to the Ponemon Institute,the costs associated with a securitybreach have been rising year over year

Fines, regulatory en orcementand lawsuitsA number o organizations aroundthe world have su ered nes andlawsuits as a result o breaches theyexperienced For instance, U S -basedretailer TJ Maxx has set aside morethan $200 million to deal with potential

liability in the massive breach itexperienced in January 20073

Erosion o shareholder valuePublicly held companies experiencingbreaches o con dential in ormationtypically su er a 5 percent dropin stock price when such a breachis made public 4

Inability to conduct business or,in the most extreme case, a collapseo political and economic stabilityToday’s computing in rastructures(including networks, systems, applica-tions and data) are inextricably linkedto the success ul unctioning o government, society and the economy

Given the interconnected natureo commerce and geopolitics, i thesein rastructures are compromised, daily

operations will grind to a halt, creatinga ripple e ect across the globe

In short, data privacy and protectionshortcomings put organizations inthe dangerous position o no longerbeing able to assure customers thattheir data is sa e rom misuse andat risk o massive breaches that doirreparable damage to their balancesheets, brands and customer relation-ships The challenge is particularly acute

or multinational companies, whichoperate across multiple countries withtheir own privacy laws and culturalattitudes and are subject to a varietyo industry regulations

1 IDC White Paper sponsored by EMC,As the Economy Contracts The DigitalUniverse Expands, May 20092 http://www privacyrights org/ar/ChronDataBreaches htm3 http://www usatoday com/tech/techinvestor/industry/2008-04-02-tjx-data-breach_n htm4 “The Economic Cost o Publicly AnnouncedIn ormation Security Breaches: EmpiricalEvidence rom the Stock Market,” KatherineCampbell, Lawrence A Gordon, Martin P Loeb,and Lei Zhou,Journal of Computer Security ,

Vol 11, No 3, 2003, pp 431-448



4 Accenture

Accenture Research onData Privacy and Protection

Given the primacy o the issue,Accenture set out to shed light onthe current state o data privacyand protection by surveying businessleaders and individuals around theworld Our ndings rein orced thenotion that data privacy and protectionis becoming more di cult or organi-zations to address and that sensitivepersonal data increasingly is at risk

The objective o Accenture’s researchwas to understand how data privacyperceptions and practices around theglobe— rom both business leadersand individuals—in orm and infuencedata protection practices

Our research involved two globalsurveys In one survey, we polled5,500 business leaders in 19 countries(Figure 1) Fi ty-one percent o thoseparticipants were in managementpositions and 45 percent o themrepresented organizations with morethan $2 billion in annual revenue(Figure 2) The second survey weconducted involved more than 15,000adult-age individuals in the same19 countries (Figure 1)

It is important to note thatorganization size did not undulyinfuence our results In virtually

all cases, there was no substantivedi erence between how businessleaders representing smaller organiza-tions (those with ewer than 1,000people) responded and how those rommedium-size and large organizations(more than 75,000 employees)answered the questions The loneexception is that larger organizationswere ar more likely than smallerorganizations to report havingexperienced breaches




Figure 1Business respondents and individuals participating in the survey represented 19 countries around the world

Business Respondents

North America(10%)

Canada

United States

Europe (43%) Belgium

Italy

France

Germany

Netherlands

Russian Federation

Switzerland

United Kingdom

Asia (28%) Australia

Singapore

Korea

Japan

India

Hong Kong

Central/SouthAmerica (16%)

ArgentinaBrazil

Mexico

Individuals

North America(11%)

Canada

United States

Europe (43%) Belgium

Italy

France

Germany

Netherlands

Russian Federation

Switzerland

United Kingdom

Asia (32%) Australia

Singapore

Korea

Japan

India

Hong Kong

Central/SouthAmerica (16%)

ArgentinaBrazil

Mexico

Figure 2Annual revenues (or public sector equivalent) o organizations participating in the survey

22%

20%

15%

10%

23%

4%

$501 to 2 billion

$2 to 5 billion

$5 to 10 billion

$10 to 20 billion

Less than $100 million

$100 to 500 million



6 Accenture

Five key ndingsemerged romour research.




Finding 01

There is a notabledi erence betweenorganizations’intentions regardingdata privacy and howthey actually protectit, creating an uneventrust landscape

Finding 02

A majority o organizations havelost sensitive personalin ormation, andamong these organi-zations, the biggestcauses are internaland there ore some-thing they potentiallycould control

Finding 03

Compliance compla-cency is prevalentthroughout the world

Finding 04

Understanding theperspective on and

approach to dataprivacy and protectiono business partnersis crucial

Finding 05

Organizations that

exhibit a “culture o caring” with respectto data privacy andprotection are ar lesslikely to experiencesecurity breaches



8 Accenture

Finding 01

There is a notable di erence between organizations’intentions regarding data privacy and how theyactually protect it, creating an uneven trust landscape




Not surprisingly, data privacy andprotection is an issue o concern

or businesses as well as individuals

Approximately 70 percent o bothbusiness and individual respondentsstrongly agreed or agreed that organi-zations have an obligation to takereasonable steps to secure consumers’personal in ormation, disclose how theyuse consumers’ personal in ormationand deal with the rami cations i theylose consumers’ personal in ormation

However, beyond the preceding,our survey revealed some troubling

inconsistencies Between 40 and50 percent o the business respondentsin our survey:

Were unsure about or actively•

disagreed with granting individualsthe right to control the type o personal in ormation about themthat is collected and how thatin ormation is used

Did not believe it was important•

or very important to limit thecollection and sharing o sensitivepersonal in ormation, protectconsumer privacy rights, preventcross-border trans ers o personalin ormation to countries withinsu cient privacy laws andprevent cyber crimes againstconsumers and data loss or the t

Did not believe a range o typical•

organizational privacy practiceswere important or very important

(including notice, consent, access,redress, security, minimizationand accuracy)

There are several possible explanationsor this inconsistency, one o which

is industry di erences In some

industries, protection o consumers’data is paramount because o thetype o in ormation involved and thetrust consumers place in the institution(such as nancial services), whilein others, it is not viewed as criticalbecause the companies involveddo not have direct contacts withconsumers ( or instance, in a businessto business setting such as componentmanu acturers)

Cultural or regional di erences alsomay play a role Indeed, there are cleardi erences in how various cultures,countries and regions view the issueo privacy The issue is ar moreimportant in the United States andEuropean countries than in emergingmarkets and, thus, the ormer havemuch stronger regulations and lawsconcerning data and in ormationprivacy Such di erences can beexacerbated by the con usion createdby di erent regulatory approachesor even conficts o law For instance,businesses with systems located inor accessible rom the United Statesthat host personal data or Europeand Canada may struggle to determinehow to meet requirements o the U SPatriot Act (which gives the govern-ment the ability to request personaldata in the name o national security),the Canadian Personal In ormationProtection and Electronic DocumentsAct (which codi ed a series o privacyprinciples established in 1996 as anational standard or the collection,use and disclosure o personalin ormation), or any o the nationaldata privacy laws implementing theEuropean Union Data ProtectionDirective o 1995

In addition, a lack o a clear de nitioo accountability and responsibility

or data privacy and protection within

the organization is a contributingactor Many organizations do not

clearly de ne where the oversight odata privacy and protection lies Thealso may nd that the managementresponsibility and accountabilitycan be ragmented, with the Chie In ormation O cer, Chie In ormaSecurity O cer, Chie Privacy Oor the legal unction all having someinvolvement, depending on the speciaspect o data privacy and protection question For instance, the CIO couldresponsible or maintaining IT and dsecurity, the Privacy O cer or settipolicies and procedures and generalcounsel or ensuring the organizationis complying with regulations Furthmore, organizations o ten do a poor

job o assigning individual accountabito employees through appropriatepolicy education and training



10 Accenture

Organizations

Individuals

0%

Identity theft 26

2323

3422

2917

1917

12

6

137

11

7

9

3452

28

Diminished civil liberties or human rights

Malware or spyware infection

Stalking or spying

Unwanted e-mail (spam)

Internet marketing abuses

Cyber bullying

Revelation of secrets

Stolen assets

Government surveillance and censorship

10% 20% 30% 40% 50% 60%

*% Indicating issue is a top-three privacy concern

Organizations and individualsdi er on privacy concernsWe also ound there are some sub-stantial di erences in privacy concernsbetween individuals and businessesand government agencies, suggestingorganizations may not be ocusinge orts and investments in the areasabout which individuals care most(Figure 3)

While business and governmentrespondents were most likely to citeidentity the t (52 percent) as one o their most signi cant privacy concerns,individuals were most likely to selectrevelation o secrets and government

surveillance and censorship (eachwith 34 percent) These concernsamong individuals are likely heightenedin the wake o the post-9/11 push bygovernments to collect and share moreintelligence on citizens in an attemptto more e ectively root out threatsto national security

Interestingly, individuals’ attitudestoward privacy and in ormation sharingare highly dependent on the type o in ormation being shared and thesituation in which it is being shared—which can create challenges ororganizations that depend on certain

in ormation (such as speci c demo-graphic data or targeted marketing)

Individuals are most com ortable sharingwith governments and businesses typicalcontact in ormation—name, homeaddress, telephone number and gender(which are among the most likely typeso in ormation our business respondentsreported collecting)

Figure 3Individuals and organizations di er on privacy concerns



Data Privacy and Protection at the Tipping Point

43

39

35

35

29

27

23

14

6

3

Visiting healthcare provider

Voting in local or national elections

Traveling to other countries

Conducting bank transactions

Performing work-related activities

Filing tax, census or other government documents

Participating in online social networks, blogs or wikis

Performing Internet search or browsing

Paying outstanding bills

Making a credit-card purchase

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Figure 4Individuals value privacy di erently depending on the situation

*% o individuals indicating privacy is most important when conducting this activity

Individuals are least willing to providetheir race or ethnic background andmedical history Perhaps not surprisingly,the largest percentage o individuals(43 percent) said privacy is mostimportant to them when visitinga healthcare provider (Figure 4)This nding is consistent with the

act that many laws now de nehealth-related data as sensitive andare providing additional sa eguards

or them

Individuals also are especiallyconcerned about maintaining theirprivacy when searching or browsing

the Internet They worry about theability o government and businessesto monitor their habits onlineand combine that in ormationwith other personal data to createpersonal pro les

Conversely, individuals are leastconcerned about their privacy whenparticipating in social networking,wikis and blogs—which are o ten theleast secure kind o interaction on theWeb This particular nding certainlyillustrates the shi t in mindset amongmany individuals in the past ve yearsin terms o what is considered “private”in ormation—a shi t that can createmajor challenges or employers whensetting and en orcing privacy policiesamong a work orce that now containsa substantial portion o the youngergeneration, who have distinctlydi erent views o what constitutessensitive or personal in ormation



12 Accenture

Finding 02

A majority o organizations have lost sensitivepersonal in ormation, and among these organizations,the biggest causes are internal and there ore some-thing they potentially could control This suggestsaccountability or and ownership o how sensitivedata is used may be lacking in many organizations




Our survey revealed that securitybreaches are an ongoing challenge

or many organizations Fi ty-eight

percent o executives polled saidthey have lost sensitive personalin ormation, and or nearly 60 percento those who have had a breach, itwas not an isolated event ( Figure 5)

Larger organizations appear tostruggle more to prevent breaches thansmaller ones—likely because, with manymore employees and more geographicallydispersed operations, the opportunities

or data to be lost or compromised

are greater Indeed, just under 70 percento organizations with more than 75,000employees have experienced a loss o sensitive personal in ormation, comparedwith 40 percent o organizations with

ewer than 500 people (Figure 6)

Individuals themselves are somewhatskeptical that organizations are doingenough to prevent such breaches,as 42 percent said they either are notsure or do not believe that companies

and government agencies are adequatelyprotecting personally identi able datathey have shared with these organizations

Healthcare providers were named bythe largest percentage o individualsas the type o organization most likelyto protect in ormation (44 percent),

ollowed by the individuals’ ownemployers (39 percent) Interestingly,only 14 percent said governmentagencies are most likely to protect

personally identi able in ormation(Figure 7)—a nding that, again, seemsto rein orce individuals’ unease withthe steps governments have taken in

the post-9/11 era to enhance nationalsecurity, as well as the increase inwell-publicized data breaches by

government agencies in the past yearInternal issues—employees(48 percent) and business or system

ailure (57 percent)—were citedmost o ten as the source o thebreaches (Figure 8)—a nding thatis in stark contrast to common perceptionthat external orces are the biggestthreats to privacy and securityHowever, this result is consistentwith reports o major breaches,

many o which were caused notby malicious external hacking butby simple error or negligence byan organization’s employees

Indeed, a study by Cisco Systemsound that two-thirds o end users

in organizations have done one or moreactivities that could compromisecorporate IT security, such as steppingaway rom their computer withoutlogging o or shutting down, leaving

their computer on their desk overnight,or carrying corporate data on portable-storage devices outside o the o ce6

6 “Security Thought Leadership: Data LeakageStudy,” Cisco Systems, August 2008

b I yes, how o ten has this occurredin the past 24 months?

1 or 2 times

3 to 5 times

More than 5 times

Can’t recall

Only once

26%

15%

16% 12%

31%

Figure 5A majority o organizations haveexperienced a security breach—andmany have more than once

a Did your organization ever losesensitive personal in ormation?

10%

58%

31%

No

Can’t recall

Yes



14 Accenture

Figure 6Larger organizations are more likely than smaller organizations to have lost sensitive personal data

>75,000

Number of employees

Percentage that lost sensitive data

500 – 1,000

500<

25,001 – 75,000

5,001 – 25,000

1,001 – 5,000

0% 10% 20% 30% 40% 50% 60% 70%

68

67

61

58

49

40

Figure 8Internal issues are the most requent causes o security breaches

System or technical glitches

Negligent or incompetent employees

Business-process failures

Cyber crime

Malicious employees

Negligent or incompetenttemporary employees or contractors

0% 5% 10% 15% 20% 25% 30% 35% 40%

35

24

22

18

13

11

Figure 7Individuals believe healthcare providers are most likely to protect in ormation

Healthcare providers

Organization that employs you

Banking institutions

Police

Religious organizations

Government

Telephone services

Retailers (stores you shop at)

Postal service

Internet service provider

44

39

30

21

19

14

14

13

13

9

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

*% o individuals indicating organization types most likely to protect personally identi able in ormation




Why are the biggest threats comingrom inside the organization?

In our experience, there are several

potential reasons.One o most common reasons is alack o adequate policies and trainingprograms A prevalence o breachesbeing caused by negligent or carelessemployees suggests the organizationhas not done a good enough job o developing and communicating strongpolicies or how sensitive data shouldbe handled Indeed, only 56 percento organizations surveyed said itwas important or very important tohave a policy about their privacypractices Furthermore, breaches mayindicate there are shortcomings inthe privacy- and security-relatedaspects o organizations’ employee-training programs

Lack o adequate controls also canresult in recurring breaches In manyorganizations, employees simply havetoo much access to sensitive dataFor instance, nearly hal o the organi-zations in our survey said limiting thecollection and sharing o sensitivepersonal in ormation was either onlysometimes important, not importantor irrelevant Furthermore, approxi-mately the same percentage believeit is either only sometimes important,not important or irrelevant to limitdata collection to only that which isneeded to ul ll legitimate businessneeds, or to adequately protectand secure individuals’ or customers’personal in ormation And, perhapsmost tellingly, just 19 percent o busi-nesses said it is never acceptable tosell personal in ormation or pro t

Many organizations also typically donot have a ull understanding o datafows across the organization As the

amount o sensitive data an organiza-tion collects increases, it is o tendi cult to keep up with all the areas inwhich such data is generated, collected,stored and used For instance, aboutthree in 10 business respondents saidthey either did not know or wereunsure o where personal in ormationabout customers and employees resideswithin their organization’s ITenterprise

Beyond people and organization issues,shortcomings in organizations’ dataprivacy and protection technologiescan result in data being compromisedHuman error is inevitable Yet organi-zations are not doing enough toimplement technical tools that preventemployees rom taking an action thatwill compromise an organization’sdata security



16 Accenture

Finding 03

Compliance complacency is prevalent around theworld Indeed, many organizations believe simplycomplying with existing regulations is su cientto protect their data However, such a mindset isill-advised given the act that regulations generallyare not su ciently sophisticated or today’s businessenvironment, nor are they consistent or equally

applied across industries and countries




Despite the act that nearly60 percent o organizations indicatedit is important or very important

to avoid regulatory and complianceviolations, and just below 70 percentsaid they regularly monitor privacyand data protection regulatory-compliance requirements, breachesstill have occurred in 58 percento organizations polled Even moreintriguing is the act that more than66 percent o businesses in Europe,where privacy regulations aremost stringent, admit having hada data breach incident in the past24 months, and just under hal o these organizations have had twoor more data breach incidents

The act is, the current spectrum o regulations simply are not sophisticatedenough to be able to account or allpossible problems that could emergegiven the rapidly increasing volume o data that organizations collect and thecomplexity inherent in how such datais accessed and used by organizations

Making matters worse is the actthat there are no common or consistentstandards or dealing with dataprivacy and protection rom countryto country or even within individualcountries For example, in the UnitedStates alone, there are 49 di erentstate laws that regulate noti cationo security breaches, as well asseparate laws that govern the useo various types o data (such as

nancial and health data) How doesan organization know which appliesand, more importantly, create andimplement the internal controls thatenable it to comply with all o them?

Another example demonstrateshow regulations vary by industryIn the United States, the Payment Card

Industry (PCI) Data Security Standard,Health Insurance Portability andAccountability Act (HIPPA), and theGramm-Leach-Bliley Act (GLBA) allwere created with the same goal inmind: to protect sensitive dataHowever, they ocus only on speci cdata elements The PCI standard, orinstance, is only concerned with acredit-card holder’s primary-accountnumber, while HIPPA is designed tosa eguard personal health in ormationand GLBA ocuses on protectingconsumers’ nancial in ormation

Organizations that believe being incompliance with existing regulationsis su cient are not doing enough toproactively protect data and improvetheir overall security posture



18 Accenture

Finding 04

Understanding the perspective on and approachto data privacy and protection among third partieswith which an enterprise does business is crucialOrganizations should “choose care ully the companythey keep ”




According to our survey, 55 percento organizations outsource thecollection or processing o personal

in ormation about customers to a thirdparty (Figure 9) Data must be kept inthe sa est hands possible, and there oretrust and con dence in outsourcingproviders is absolutely crucial

Organizations must understand notonly the provider’s own data privacyand protection program to ensure itmeets (or better yet, even exceeds) theirown e orts, but also its knowledge o and experience with managing data

within and across national boundariesFor instance, Accenture operatesa comprehensive global client dataprotection program that providesa standardized, consistent approachto protecting clients’ data Thisprogram covers all critical elementso data privacy and protection,including employee training, regularmonitoring and auditing, oversight,appropriate responses in case o a

breach, en orcement and disciplineor inappropriate actions, and compre-hensive protective measures to preventbreaches The program refects the

act that Accenture views sa eguardingclient in ormation as one o its most

undamental and important responsi-bilities, and essential to maintainingthe trust that orms the cornerstoneo its client relationships

Figure 9A slight majority o organizations outsourcethe collection or processing o personalin ormation about customers to a third party

No

Unsure

Yes

6%

55%

40%



20 Accenture

Finding 05

Organizations that exhibit a “culture o caring”with respect to data privacy and protection are arless likely to experience security breaches Suchorganizations tend to view themselves as stewards,not owners, o personal data and take actions toprotect data entrusted to them




As mentioned earlier, 58 percent o organizations experienced at least onesecurity breach in the past two years

while 31 percent did not And in act,21 percent o organizations actuallyhad two or more breaches, suggestingserious security shortcomings in someareas o those businesses Recurringbreaches were just as likely to occurin large organizations as they were insmaller enterprises

When we compared the group thathad no breaches with the group thathad two or more incidents, we ound

the ormer group demonstrates somesubstantial di erences rom the latterin terms o their attitudes and policiesregarding data privacy and protection,as well as in what they thought wereacceptable uses o personal dataIn general, our analysis indicates thatthose organizations with no breachesseem to exhibit an overall “culture o caring” with regard to sensitive dataand a mindset that they are not ownerso such data but, rather, stewards o that data and it is their responsibilityto protect and sa eguard it

AttitudesOrganizations with no breaches weremore likely than those with two ormore to believe individuals own theirpersonal in ormation and the enterpriseis responsible or managing andprotecting it

As noted in Figure 10, the ormertended to believe individuals havesubstantial rights to manage, correctand control in ormation collectedabout them and to understand howsuch in ormation is being usedAdditionally, the “no breach” groupwere more likely to eel a strongerobligation to uphold data privacy andprotection— or instance, by takingreasonable steps to secure individuals’personal in ormation, control whohas access to such in ormation,disclose to individuals how theirpersonal in ormation is used, andhelp them i the organization losestheir personal in ormation



22 Accenture

Figure 11Policies. Organizations with no breaches tend to have policies that value the protection o sensitive dataand how such data is used

No Breach

Two or More Breaches

0% 10% 20% 30%

5159

4353

48

49

55

56

59

66

71

75

40% 50% 60% 70% 80%

Ensure data collected and used is accurate, not falseor misleading (Accuracy)

Limit data collection to only that which is needed tofulfill legitimate business needs (Minimization)

Give consumers or customers the ability to view andedit information collected about them (Access)

Have a policy about their privacy practices (Disclosure)

Regularly monitor privacy and data protectionregulatory-compliance requirements

Know where personal information on customers andemployees resides within the organization’s IT enterprise

Figure 10Attitudes . Organizations with no breaches were more likely than those with two or more to believeindividuals own their personal in ormation and the enterprise is responsible or managing and protecting it

No Breach


Organizations have an obligation toindividuals if they lose their personal information

Organizations have an obligation toindividuals how their personal information is used

Organizations have an obligation to control whohas access to individuals’ personal information

Organizations have an obligation to take reasonablesteps to secure individuals’ personal information

Individuals have a right to change incorrectinformation collected and used by organizations

Individuals have a right to access and review theirpersonal information collected and used by organizations

Individuals have a right to control how theirpersonal information is used

Individuals have a right to control informationcollected about them and their family

0%

58

62

60

43

44

45

51

52

52

4350

73

72

72

6072

10% 20% 30% 40% 50% 60% 70% 80%




PoliciesOrganizations with no breachestend to have policies that value theprotection o personal data andhow such data is used

For instance, no-breach organizationsare more likely to know where personalin ormation on customers and employeesresides within the organization’s ITenterprise This understanding enablesthese organizations to more e ectivelyprotect data across the enterpriseFurthermore, organizations with nobreaches are more likely to regularlymonitor privacy and data protectionregulatory-compliance requirementsAnd, organizations with no breachesare more likely than those with twoor more to consider a number o data privacy and protection practicesimportant or very important (Figure 11)

UsesOrganizations with no breaches aremore likely than those with two ormore to take a stricter line in termso what they think are appropriateuses o personal in ormation

Both groups largely agree that it isacceptable to use personal in ormationto identi y and authenticate customersand or research and product develop-ment, as well to share such in ormationwith law en orcement personnel or

raud prevention and the governmentor national security purposes

However, the groups di er substantiain their opinions on using personalin ormation in other ways The grouwith two or more breaches is morelikely to believe it always is acceptabto use such in ormation or targetedmarketing and promotions and tosell personal in ormation or pro t(Figure 12)

Figure 12Uses. Organizations with no breaches are more likely than those with two or more to take a stricter line in termso what they think are appropriate uses o personal in ormation

No Breach


4732

4630

0% 10% 20% 30% 40% 50%

Say it is always acceptable to sell personal informationfor profit

Believe it is always acceptable to use suchinformation for targeted marketing and promotions



Addressing the Data Privacy and Protection Challenge Key Actions and Practices

24 Accenture

It is clear that organizations todayhave an urgent need to take a moreproactive approach to data privacyand protection to not only minimizethe risk o regulatory violations andmajor nes or non-compliance, butalso to avoid experiencing breacheso sensitive personal data that canalienate customers, erode customers’trust and destroy the organization’sbrand and credibility

With data privacy and protection nowa major challenge or all organizations,it is time or the issue to receive moreserious attention among not only senior

executives, but also all employees Thendings o our research, as well as

our work with leading organizationsaround the world, suggest a number o actions organizations should take toimprove their ability to secure sensitivedata, and proactively combat threatsand position themselves to achievehigh per ormance

At a broad industry level, organizationsmust undertake two critical initiatives—the rst o which is reexaminingtheir data protection and compliance

ramework In most industries, notenough work has been done to ensurethat data protection and compliance

rameworks have kept pace withhow, and how quickly, data is gener-ated, collected and shared Thedata protection ramework shouldaddress data protection at a holisticlevel and avoid addressing regulatorycompliance in a silo Such a rameworknot only can reduce overall compliancecosts, but also improve an organiza-tion’s overall posture or data privacyand protection

Secondly, organizations should createa common set o data privacy andprotection standards that can beapplied consistently rom country tocountry to minimize complexity, costo compliance and chances or breacheswhile, at the same time, enablingresponsible data sharing and globaldata fows A global standard mustrecognize the data privacy andprotection ecosystem and assignaccountability appropriately acrosskey stakeholders: organizations,individuals and regulators Each hasa role in protecting data and privacyrights The standard should provideprescriptive guidance on what datamust be protected, what the mainrequirements or data collectionand use are, the rules or access tosensitive data, and how to protectthe sensitive data based on datasensitivity and classi cation




Microso t has been a leader in urginglawmakers to give data privacy andsecurity a higher priority “On the

legal ront, we at Microso t believethe United States needs an all-inclusive,uni orm privacy law that will giveconsumers more control over theirpersonal data and more reason orcon dence in providing in ormationto legitimate businesses and otherorganizations,” the company stated“With the fow o in ormationbecoming increasingly global, we alsosee a growing need to align U S lawwith current and emerging privacystandards in the rest o the world ”7

At an individual organization level,organizations should emulate theleaders in our survey by creating a“culture o caring” with regard todata privacy and protection There area number o tangible steps organiza-tions can take and practices theycan employ to begin creating sucha culture to help sa eguard sensitiveindividual in ormation

Assigning ownership o andaccountability or data privacyand protection through a datagovernance program.Organizations that want to createa culture o caring and become goodstewards o individuals’ sensitivedata should assign executive responsi-bility and oversight or data privacyand data protection, and put in place

a data governance program thatintegrates the processes, people andtechnology needed to manage datae ectively and e ciently It beginswith a custom model consisting o de ned roles and responsibilities

or data owners and data stewards

Bringing together those people andunctions can help an organization

create a comprehensive and coordinated

approach to protection and privacy(as well as to the management o in ormation overall) In some cases,it may make sense to establish adata privacy and protection council—comprising stakeholders, data ownersand data stewards rom across thebusiness—that is responsible andaccountable or overseeing howsensitive data is managed and used,as well as or the continuousimprovement o the organization’ssecurity posture Such a coordinated,cross- unctional approach helps torein orce the act that data privacyand protection is the responsibility o everyone in the organization, and toweave awareness o the issue into the

abric o the organizational culture

Sun Microsystems, General Electricand Intel all have ormally extendedthe remit o their privacy o cer’srole to in ormation governance and/ordata security to ensure a holisticapproach to in ormation managementand protection And Procter & Gamblehas committed to ollowing dataprivacy policies based on six undamentaltenets: global consistency o principles,local fexibility in implementation,accountability o data owners, privacyacross the extended enterprise, choiceand access to the individual and acommunity approach to privacy issues8

Creating an in ormation strategythat enables the organization toidenti y, track and control how

data fows across all areas o anorganization’s systems and processesBy taking a holistic approach toin ormation management, an organiztion will be able to manage theentire in ormation li e cycle, clearlydelineating how data is collected,stored, managed and used (includingwho is allowed to access and usewhich data)

To implement such a program, an

organization rst should conductan enterprise-wide evaluation o itssystems and processes to identi yall fows o sensitive data With suchintelligence in hand, the organizationcan put in place the mechanism oran ongoing evaluation o the legitimaco various uses o sensitive data withall business processes to limit thecollection and storage o suchdata, as well as an ongoing regularreview o all business processes thatinvolve sensitive data to identi ythe creation o any new sources o data and new data fows that couldbe compromised i le t unprotected

Procter & Gamble, o ten cited as aleader in data privacy, is committedto understanding where its dataresides The company has identi edand monitors data repositories withinthe organization that contain personaldata on individuals in 14 categories 9



26 Accenture

One o the ways to keep tabs on newsources o potentially sensitive datais to conduct a Data Privacy Impact

Assessment or new systems andprocesses that collect and use personaldata Such an assessment has longbeen endorsed by privacy regulatorsin Europe and North America, andrecently it has become a requirement

or all US ederal departments andthe UK government departmentsMany companies, too—includingAccenture, Google and Acxiom—usethe method to evaluate new businessprocesses, o erings and services andensure that data privacy is addressed

rom the very beginning

Evaluating their current dataprivacy and protection technologiesto con rm they are providingthe necessary level o protection.Because computer incident-responsetechnologies are not generating adequateinsights rom prior breaches—thusimpairing proactive risk management—

organizations should reevaluate theirinstalled base o such tools andconsider enhancing or replacing themImplementing the right technologywill help an organization managein ormation e ectively and supportits security, governance, and in ormationmanagement goals More importantly,because technology alone does notprevent potential in ormation loss, itmust work in concert with the agreed-upon data governance ramework

and standards, as well as the datagovernance council

Companies such as Microso t andIntel have sought to help companiesaddress this issue by embedding data

privacy in their product and technologydevelopment to ensure new technologiesand products are better equipped tocomply with data privacy and datasecurity requirements

Procter & Gamble has been a pioneerin using technology to support itsdata privacy e orts The companywas among the rst to adopt privacy-monitoring so tware worldwide tohelp the organization comply with

the patchwork o laws governingin ormation rom country to countryAmong the technology installed areonline monitoring tools that automati-cally check P&G’s consumer websites

or compliance with countries’ lawsrelating to cookie regulation, opt-inmarketing and advertising to childrenSuch so tware enables P&G’s dataprivacy team to keep tabs on hundredso its websites and, by catalogingonline content, substantially cutthe time necessary to nd potentialvulnerabilities10

Building a consistent level o awareness o the importance o dataprivacy and protection among thework orce and providing employeeswith the appropriate guidance orhow to handle sensitive data.It is increasingly important ororganizations to create more compre-hensive and robust employee-educationand training programs that promotea consistent and common understandingo data privacy and protection policiesand procedures and give speci cguidance on how to adhere to them

However, to create a true cultureo caring, an organization must domore than train employees to raise

their awareness o the importanceo data privacy and protection to boththe organization and its customersThey need to motivate employees totake these requirements very seriouslyby explaining the consequences o abreach or the organization, its mission,its customers and its employees

Procter & Gamble, General Electricand Accenture are among thosethat have well-established employee-

training and communication plat ormsthat go beyond pure training on dataprivacy and security policies by seekingto establish a culture o responsible useand sharing o in ormation (includingthe use o social networking and otherWeb 2 0 technologies)

Reexamining their data privacy andprotection investments.Few organizations have a trueenterprise view o their investmentsin security—a situation that not onlyprevents them rom understandingthe true cost o security, but alsomakes it di cult or them to reallocateinvestments as necessary to areas o high priority

An organization should have abalanced investment when it comesto data privacy and protection Theinvestment strategy should not be

ocused on technology alone, butshould consider all key aspects o theissue: people (the appropriate trainingand awareness-building programs);process (process improvement that




limits the collection and storage o sensitive data to minimize the exposureo sensitive data and overall scope o

compliance); and technology (imple-menting or enhancing the appropriatedata protection controls)

Additionally, any data protectionand privacy initiative should beimplemented in phases Such anapproach enables an organizationto spread the implementationcost over time and allow the imple-mented controls and processesto become mature, repeatable

and optimizedA growing number o globalorganizations—including Accenture,General Electric, Phillips and BritishPetroleum are developing andimplementing comprehensive dataprivacy compliance programs that aremandatory, are implemented uni ormlyacross their global organizations andprovide a high level o privacy andprotection or personal data on their

employees, customers and websiteusers These so-called BindingCorporate Rules (BCR) enable theseorganizations not only to share dataacross their global operations andprocesses, but to embed, manage andmeasure data privacy compliancee ectively in all areas

General Electric, in act, was recognizedby the International Association o Privacy Pro essionals (IAPP) or the

progress it has made in implementingBinding Corporate Rules GE won theIAPP Privacy Innovation Award in2006 or being the rst company inthe world to “pursue a BCR policy thatassures employees that their data willbe handled using the highest and bestpractices no matter where in the worldthe employee or the data is located ”11 The company’s BRC model is the basis

or GE’s relationship with its 350,000global employees and is communicatedin 27 languages

In the public-sector arena,many government agencies thatare putting more in ormation ando ering more services online areimplementing a process to reviewtechnology investments to ensureboth employee and taxpayerin ormation are adequately secured

Choosing business partnerswith care.Organizations should collaborate withbusiness partners that take equal orgreater care with data, and rigorouslyassess partners’ knowledge, practicesand experience in managing sensitivedata across organizational and nationalboundaries in accordance with localprivacy laws and industry regulationsOrganizations must be vigilant whenit comes to con rming the security

posture o the companies with whichthey do business, especially as businesstakes them to countries with di eringstandards or data privacy and protection

Awareness o suppliers’ and otherbusiness partners’ security practices—including understanding the country’s

data protection regulations underwhich the organization operates andstrictly monitoring how and whentheir data is used by providers andwhere such data is sent—is criticalto veri y proper practices are in placeto protect sensitive data Organizatioalso should ensure that providers’, aswell as their own, responsibility andaccountability are clearly understood

Microso t is one o a number o lead

organizations that have developedvendor-management programs toenable them to embed data privacyconsiderations and requirements inthe procurement process and duringdelivery Such companies also haveimplemented auditing processes totest the providers’ security practices



28 Accenture

Having ormal incident responsepolicies, procedures and teams.Despite the best intentions, incidentsdo happen And when they do, itis critical or organizations to havea pre-de ned and tested incident-response plan that enables theorganization to quickly respond toand address the situation to minimizepotential damage the breach cancause Organizations should have

ormal policies and procedures orhow to deal with breaches, as well asidenti ed incident-response teams(representing all required unctionalareas) that mobilize when a breach isdetected Also vital to the post-incidentresponse process is a de nition o metrics that are important or theorganization to track—such as typeo incident (virus, malware or inappro-priate sites accessed, or instance),

requency o incidents and cost to theenterprise And, organizations shouldensure that the ndings o the responseteam investigating a breach are

reviewed with stakeholders outsideo the core-security team

Incident response can be especiallychallenging in global organizations,where o ces o ten address local

incidents on their own without theinvolvement o the corporate entity’sdata security team Such a localizedresponse can result in the situationspreading to other areas o theorganization as well as a ailure o thebroader enterprise to learn rom theincident and make necessary changesto the rest o the organization to helpstem such breaches rom occurring inthe uture To help avoid such discon-nects, organizations should more tightlyintegrate their processes governing thereporting o and response to incidences

7 “Microso t Lobbying or Data Privacy Laws,”Joe Lewis,WebProNews , March 21, 2007, http://www webpronews com/topnews/2007/03/21/microso t-lobbying- or-data-privacy-laws8 “12 Questions Every GC Should Ask,” CorporateExecutive Board, 2007, http://74 125 95 132/search?q=cache:NFvwH3dmBEcJ:https://gcrexecutiveboard com/Members/12Questions/9

“12 Questions Every GC Should Ask,” CorporateExecutive Board, 2007, http://74 125 95 132/search?q=cache:NFvwH3dmBEcJ:https://gcrexecutiveboard com/Members/12Questions/10 “P&G Privacy Plan Tackles Data Laws,”Daniel Thomas,Computing , December 2, 2004,http://www computing co uk/computing/news/2071314/g-privacy-plan-tackles-laws11 “The IAPP Announces Winners o the IAPPPrivacy Innovation Awards,” organization newsrelease, October 24, 2006, https://wwwprivacyassociation org/index php?option=com_content&task=view&id=967&Itemid=116

Making Data Privacyand Protection a

Core Business ValueAs personal and sensitive datacontinue to be generated in ever-greater volumes, it is imperative thatorganizations take greater stridesto protect this important asset—andnot just because the laws say theyshould Indeed, as our research shows,compliance should be only one parto a much larger and comprehensiveapproach to data privacy and protection

More importantly, an organization’sapproach to data privacy and protectionmust not only be legally compliant,but also be a central element o theorganization’s value proposition Andbecause o the global nature o datafows today and the act that manycountries don’t view the issue in thesame way, the most e ective dataprivacy and protection programs areglobally reaching

Organizations that view the issueo data privacy and protection as aC-suite concern and make it a coreprinciple that guides their businesswill reap the bene ts o lower risko nes and en orcement action;a consistently high level o protectionregardless o where in the worldsensitive data is generated, stored,accessed or used; and a strongerbrand and reputation that helps attract

and retain customers In other words,a superior approach to sa eguardingsensitive data—one that positionsdata privacy and protection as a corecorporate value—can be a distinctivecapability that can help drive highper ormance in a dynamic andunpredictable global economy




For more in ormation about ourData Privacy and Protection services,visit accenture.com/dataprivacy

Global Security leadAlastair MacWillsonalastair macwillson@accenture com+44 20 7844 6131

Global Data Privacy and Protection leadPaul O’Rourkep orourke@accenture com+61 3 98387488

Chie Risk O cerBPO and Technology Growth PlatformJohn B. McCormick

john b mccormick@accenture com+1 312 693 2589

Geographic Data Privacy andProtection leads

Austria, Switzerland and Germany

Mario Knop mario knop@accenture com+49 175 57 61046

CanadaAndy Truscott andrew j truscott@accenture com+1 416 641 4114

Benelux and FranceFrederic Peters

rederic peters@accenture com+33 1 565 27 080

Italy, Greece and Emerging MarketsEnrico Palme enrico palme@accenture com+39 06 595 61111

NordicsGaute Lien gaute lien@accenture com+47 991 191 60

Australia, Singapore, Malaysiaand South KoreaTroy Braban troy braban@accenture com+61 3 983 87 555

Spain and PortugalJavier Martin

javier martin@accenture com+34 91 546 9630

United StatesDavid Kuo david kuo@accenture com+1 415 537 5094

United Kingdom and IrelandTheresa Pa Theresa pa@accenture com+44 20 7844 8432

Contact



Copyright © 2009 AccentureAll rights reserved

Accenture, its logo, andHigh Per ormance Deliveredare trademarks o Accenture

About AccentureAccenture is a global managementconsulting, technology services andoutsourcing company Combiningunparalleled experience, comprehensivecapabilities across all industries andbusiness unctions, and extensiveresearch on the world’s most success ulcompanies, Accenture collaborates withclients to help them become high-per ormance businesses and govern-ments With approximately 177,000people serving clients in more than 120countries, the company generated netrevenues o US$21 58 billion or the

scal year ended Aug 31, 2009 Itshome page is www accenture com

About Ponemon Institute LLCPonemon Institute conductsindependent research on consumertrust, privacy, data protection and

emerging data-security technologiesTheir goal is to enable organizationsin both the private and public sectorsto have a clearer understanding o the trends in practices, perceptionsand potential threats that will a ectthe collection, management andsa eguarding o personal and con den-tial in ormation about individualsand organizations Ponemon Instituteresearch in orms organizations on howto improve upon their data protectioninitiatives and enhance their brandand reputation as a trusted enterprise

As a member o the Councilo American Survey ResearchOrganizations (CASRO) PonemonInstitute upholds strict data

con dentiality, privacy and ethicalresearch standards They do notcollect any personally identi ablein ormation rom individuals orcompany identi able in ormationin our business research Furthermore,they have strict quality standardsto ensure that subjects are not askedextraneous, irrelevant or improperquestions For more in ormation,visit www ponemon org

15 percent total recycled ber

Accenture How Global Organizations

Documents

Transcript of Accenture How Global Organizations