Gartner - privacy policies need to be revised by the end of 2012
Organisations are expected to revise their privacy policies by the end of next year.
According to Gartner, data breaches, cloud computing, location-based services and regulatory changes will force virtually all organisations to review or revise their current privacy policies before the end of next year.
Carsten Casper, research director at Gartner, 2010 said that new threats to personal data and privacy are emerging while budgets for privacy protection remained under pressure. He said: “Throughout 2011 and 2012, privacy programmes will remain chronically underfunded, requiring privacy officers to build and maintain strong relationships with corporate counsel, lines of business, HR, IT security, IT operations and application development teams.
“An established relationship with regulatory authorities and the privacy advocacy community will also be an advantage to them.”
Having identified the top five issues, Gartner said that data breaches should not consume more than ten per cent of a privacy officer's time as preparing for and following up on breaches is actually straightforward. It also said that most controls exist anyway if security management is working properly.
It said that depending on the nature of the business, privacy officers will focus five to 25 per cent of their time on location-based services and should collect information only for the purpose for which it is needed. Cloud computing should consume 20- 30 per cent of a privacy officer's time and they should not accept ‘no' for an answer when asking whether the processing of personal information in the cloud or abroad is allowed.
Regarding privacy, Gartner said that there is no right or wrong and finding the balance between ‘not enough' protection and ‘too much' protection is an ongoing process. It said that privacy officers should set up a process to identify stakeholders for personal information, gather requirements from them, influence the design of the business process and applications and plan for adjustments. Once this process has been created, its execution should take the privacy officer no more than 10 per cent of his or her time, it said.
Finally it said that no more than five to ten per cent of the privacy officer's time should be spent on monitoring of regulatory changes as they should not distract privacy officers from pursuing their strategies, as most regulatory changes will only have a mid to long-term effect.