Organisations around the world are not doing enough to protect data privacy

22 March, 2018

Start adding items to your reading lists:
or
Save this item to:
This item has been saved to your reading list.

Investments in advanced authentication and encryption set to rise in 2018 says global survey including Ireland

  • Only half (51%) of business executives around the world have an accurate inventory of employee and customer personal data.
  • 40% of Irish CEOs not addressing cyber breaches.
  • Less than half (46%) conduct compliance audits of third parties who handle customer and employee data.
  • 48% say advanced authentication has helped reduce fraud; 46% plan to boost investment in this area in 2018.
  • Less than a third (31%) say corporate board members directly participate in a review of current security and privacy risks.
  • GDPR and the NIS Directive are opportunities for Irish businesses.
  • Only one in three (32%) had started a GDPR assessment at the beginning of 2018.

In today’s data-driven society, privacy, security and trust are more vital and intertwined than ever before. But many organisations are not doing all they can to protect data privacy, according to  findings released today from PwC’s 2018 Global State of Information Security® Survey (GSISS).

Less than half of respondents (49%) say their organisation limits collection, retention, and access of personal information to the minimum necessary to accomplish the legitimate purpose for which it is collected. Only 51% of respondents have an accurate inventory of where personal data for employees and customers are collected, transmitted, and stored. And only 53% require employees to complete training on privacy policy and practices.

When it comes to third parties who handle personal data of customers and employees, less than half (46%) conduct compliance audits to ensure they have the capacity to protect such information. And, worryingly, less than one in two (46%) organisation require third parties to comply with their privacy policies.

"GDPR is just around the corner and it is disappointing that the survey suggests that organisations are not doing enough to protect data privacy."

Pat Moran Cyber Leader, PwC Ireland

The survey draws on responses of 9,500 senior business and technology executives from 122 countries, including Ireland.

Speaking at the Irish launch, Pat Moran, PwC Ireland Cyber Leader, commented: “GDPR is just around the corner and it is disappointing that the survey suggests that organisations are not doing enough to protect data privacy.  This is evidenced by the fact that just half of survey respondents around the world have an accurate inventory of employee and customer personal data and only one in three (32%) had started a GDPR assessment at the beginning of 2018.”

“Using data in more innovative ways opens the door to both more opportunities and more risks. In our experience, there are few companies building cyber and privacy risk management into their digital transformation. Understanding the most common risks, including lack of awareness about data collection and retention activities, is a starting point for developing a data-use governance framework.”

Overall, the survey reveals that businesses in Europe lag their North American counterparts in developing an overall information security strategy and implementing data-use governance practices. 

  Overall information security strategy Requires employee training on privacy Accurate inventory of personal data  Limits data collection, retention, and access Audits compliance by third parties Requires compliance by third parties
North America 59% 58% 53% 53% 47% 47%
Europe 52% 47% 47% 44% 42% 44%

The stakes are high – and there is room for improvement

Senior executives recognise the rising stakes of cyber insecurity. PwC’s latest Irish CEO Pulse survey identified that nearly nine out of ten (86%) Irish CEOs are concerned about cyber threats, but well over a third (40%) are not addressing security breaches.

Importance of building trust – nearly half plan to boost investment in biometrics

PwC expects improvements in authentication technology, including biometrics and encryption, to increasingly help business leaders build trusted networks.  Half of respondents said the use of advanced authentication has improved customer and business partner confidence in the organisation’s information security and privacy capabilities.  Nearly half (48%) said that advanced authentication has helped reduce fraud and 41% said that it has improved customer experience. Furthermore, almost half (46%) confirmed that they plan to boost investment in biometrics and advanced authentication this year.

Data privacy: a matter for the corporate board

Less than a third (31%) of 2018 GSISS respondents say their corporate board directly participates in a review of current security and privacy risks.

Pat Moran commented: “Leadership involvement is really critical when defining the cyber security strategy.  Organisations of all sizes should boost the engagement of corporate Boards in the oversight of cyber and privacy risk management. Without a solid understanding of the risks, Boards are not well positioned to exercise their oversight responsibilities for data protection and privacy matters.”

Viewing GDPR and NIS as an opportunity

The EU’s General Data Protection Regulation (GDPR), which applies to any organisation that does business in the EU, will come into effect on 25th May 2018. Just a third of respondents (32%) confirmed they had started a GDPR assessment at the beginning of 2018. The EU’s Directive on Security of Network and Information Systems (NIS Directive), which aims to boost cyber resilience, also comes into effect in May 2018. Businesses identified by member states as operators of essential services (critical infrastructure), as well as digital service providers (search engines, cloud computing services and online marketplaces), face new requirements under the Directive for security and for reporting incidents to national authorities. As with GDPR, companies could face serious consequences for noncompliance.

Pat Moran concluded: “CEOs should see GDPR and the NIS Directive not as compliance drills but rather as strategic opportunities to align their business for success in a data-driven world. In addition, companies should be reaching out to regulators to build relationships and lines of communication before compliance deadlines arrive.”

ENDS

About PwC
At PwC, our purpose is to build trust in society and solve important problems. We’re a network of firms in 158 countries with more than 236,000 people who are committed to delivering quality in assurance, advisory and tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com.

PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.

©2018 PwC. All rights reserved

About the survey
The Global State of Information Security® Survey 2018 is a worldwide study by PwC, CIO and CSO, conducted in 2017 The survey is based on the responses of more than 9,500 business and IT executives including CEOs, CFOs, CISOs, CIOs, CSOs, vice presidents, and directors of IT and information security from 122 countries including Ireland. 38% of respondents were from North America, 29% from Europe, 18% from Asia Pacific, 14% from South America, and 1% from the Middle East and Africa.

Contact us

Pat Moran
Partner, PwC Ireland (Republic of)
Tel: +353 1 792 5308
Email

Johanna Dehaene
Corporate Communications, PwC Ireland (Republic of)
Tel: +353 1 792 6547
Email

Follow PwC Ireland