Privacy is about more than data and compliance

Get a free Techzine subscription!

Recently, we published a report on the Data Privacy Benchmark Study by Cisco. The main theme of the results of that study is that the events surrounding the corona pandemic have led to a higher appreciation of the concept of privacy among organisations worldwide. We spoke with Michel Schaalje, Security Lead Netherlands at Cisco, about the report.

In recent months, we have seen a good example of the importance of privacy in today’s world. In the Netherlands, the privacy of people tested for Covid-19 was not respected at all. The Municipal Health Services did not sufficiently protect the applications and systems. Personal data were leaked. Technically, there was little wrong with the systems and programmes. There was no undiscovered major leak or a zero-day. The agencies responsible simply didn’t think – or at least didn’t think enough – about the privacy requirements that this kind of data entails.

Tip: Personal data of millions of Dutch citizens were for sale

From a privacy point of view, this is a big mistake. With the information from the compromised systems, you can do all kinds of harm to the people involved. The responsible parties should have monitored it much better, and should have configured the tools better too. The fact that it had been known for months that the data was far too widely accessible only makes it even more distressing. One advantage is that it did put data privacy firmly on the agenda for almost everyone.

Trend towards more focus on privacy

You might think that the importance of privacy in organisations is in bad shape. Fortunately, according to the Data Privacy Benchmark Study results by Cisco, that is not the case. One of the conclusions of this study is that organisations are actually spending more attention on privacy. There was talk of doubling privacy budgets by 2020. On average, this is now 2.4 million dollars per surveyed organisation. A total of 4400 security professionals who are also involved in privacy completed the questions. The general opinion about privacy legislation is positive. In addition, 90 percent of those questioned indicated that external privacy certificates (such as ISO 27701 and EU Binding Corporate Rules) play an important role in choosing products, services and vendors.

One of the main reasons for the increased attention is Covid-19 pandemic. Working from home became and still is the norm. This raises questions about privacy. In addition, there was more privacy awareness among employees. When they are working from home, they combine their private and professional lives and want their own privacy to be guaranteed as well.

You can read the full report here, if you want to have a look at the details.

Beyond data privacy

In itself, the above reasons are fairly obvious, viewed from a traditional data privacy perspective. As a business, you focus on your data and its optimal protection. However, this is where Schaalje sees the main shift taking place, based on the results of the report. “It’s not just about data privacy anymore, which was the case for a long time,” he says. That is only one part of the privacy issue. A part that is strongly driven within organisations by the desire to be compliant with guidelines, laws and other rules. “It is now about privacy in its broadest sense,” he continues. By this he means the impact of privacy on other components that an organisation has to deal with.

Looking at the results of the study, we see a correlation between the maturity of the privacy policy of an organization and the business benefits it produces. “Whether it’s gaining the trust of your customers or reducing sales cycles, privacy has a positive impact on this,” Schaalje summarizes. In other words, customers of organizations are going to play an increasingly important role in the privacy issue. This does not only concern external customers, by the way. A good privacy policy for home workers within your organization can also make you more attractive as an employer.

Michel Schaalje, Security Lead Netherlands at Cisco

The study, however, does not provide a definitive answer as to whether this link between the maturity of the privacy policy and the business success of an organization is causal. “For that, you would really have to ask customers directly whether privacy was actually an important reason for choosing a vendor,” Schaalje indicates. In any case, the signals in this survey do seem to point in that direction.

On the board’s agenda

When it comes to the impact of privacy beyond the data piece, the increased importance to boards of directors should not be missed either. Of those surveyed, 93 percent indicated they report metrics related to privacy to the board. Of course, the corona crisis plays an important role in this. Especially in periods of great and rapid change, the board of directors must be kept informed.

If we look at the metrics organizations report to the board, we would like to make an important comment. In the top places we see things like audits, impact assessments, data breaches and incident response. These are still ‘old fashioned’ privacy metrics. The somewhat more ‘modern’ values that deal with the maturity of the policy and its value or ROI are at the bottom. “So at this point there could and perhaps should be a little more awareness of what metrics a board should want to receive,” Schaalje indicates.

The Netherlands in the lead

The conclusions we presented above are based on global figures. How is the Netherlands doing? “In the Netherlands we always have a lot of conversations around trust, something where privacy plays an important role,” Schaalje indicates. So there was already more focus here on privacy even before the pandemic. “We’re also comparatively engaged in innovation here as a digital country,” he continues. Data privacy – and the broader impact of privacy – is ultimately also a form of innovation, is his view: “Think of the discussions about the Electronic Patients File and smart meters. Those have, in part, stalled on the privacy piece.”

With the above in mind, the average investment in privacy in the Netherlands, unsurprisingly, is a lot higher than the global average. $3.1 million compared to the $2.4 million reported above is a big difference. The difference with the $ 2.2 million from the rest of Europe is even slightly larger. If you invest more, then the absolute business benefit you get out of it is obviously also greater than in areas where there is less investment. According to Schaalje, this is also clearly visible in the figures.

However, it is true that the relative ratio between investments and their outcomes (the Ratio of Privacy Benefits to Investments) in the Netherlands is significantly lower than average. We get back 1.4 times the investment, while worldwide it is 1.9 times. Compared to last year, this ratio has fallen sharply everywhere. This is of course due to extra unforeseen expenses around the corona crisis, but perhaps also due to new privacy legislation, more requests from customers, among other things. This was not investigated further in the study.

Conclusion: Privacy has matured

All in all, it is clear that the Netherlands is ahead in many areas when it comes to privacy. This only makes the mess at the GGD even bigger. Apparently there is more than enough awareness within our country, only unfortunately not among those responsible for the testing and vaccination environments.

In general, however, according to Schaalje we can definitely say that privacy has come of age. Not only in The Netherlands, but broadly speaking. In conclusion, he reiterates the main lesson from the report: “Privacy is more than data protection and data privacy, but goes from data privacy to protecting the people who use the data, so that organizations can actually build trust.”

How things will proceed in the coming years with the status that privacy and the policies around it have within organizations is to some extent guesswork. Especially since the future is rather uncertain. What will the situation be after we finally emerge from the current crisis? That question is actually impossible to answer at the moment. What Schaalje does know for sure is that “the questions around privacy will remain, since we are not going back to how it was before.” That also means, above all, more ongoing complexity because of the new ways of working. In any case, it makes privacy an interesting topic to keep following.