Benchmark Study of European and U.S. Corporate Privacy Practices

Erku - William Schroeder

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

25 pages

English

Le téléchargement nécessite un accès à la bibliothèque YouScribe
Tout savoir sur nos offres

A propos
Informations
Extrait

Description

Sujets

Leadership in Energy and Environmental Design

Sponsored by the global law firm of WHITE & CASE LLP Independently conducted by Benchmark Study of European and U.S. Corporate Privacy Practices Report April 26, 2006 Ponemon Institute© Please Do Not Share Without Permission Benchmark Study of European and U.S. Corporate Privacy Practices I. Executive Summary White & Case, LLP and Ponemon Institute, LLC are pleased to present the summary results of the first study that benchmarks the corporate privacy practices of a matched sample of European and U.S. multinational companies. Results from the Study of European and U.S. Corporate Privacy Practices (hereafter termed the Study) provide a meaningful baseline for measuring and monitoring trends about how multinational organizations in two different regions of the world are facing regulatory requirements and creating privacy programs that build trust with their key stakeholders. Drawing from a matched sample of large European and U.S. companies, our study addresses 1eight key areas in the typical corporate privacy program. The eight areas are: Privacy Policy, Communications & Training, Privacy Management, Data Security Methods, Privacy Compliance, Choice & Consent, Cross-National Standards, and Redress. A comprehensive privacy and data protection program with these eight areas is becoming increasingly important for several reasons. These include, but are not limited to:  The organization’s need to comply with the plethora of emerging privacy legislation and regulation;  The adoption of enabling technologies in the collection, use and storage of personal data; and  The increased expectation that organizations will take the necessary steps to safeguard their privacy commitments to customers, consumers and employees. Findings of our study suggest that both European and U.S. organizations are approaching their privacy initiative as one aimed at achieving compliance with law or risk management. For example, only 50% of European and 24% of U.S. privacy leaders believe that corporate privacy is an important part of their companies’ brand or image in the marketplace. In general, our findings suggest that U.S. companies are engaging in more security and control oriented compliance activities than European companies. As a result, U.S. corporate benchmark scores are higher than European scores in five of the eight areas of corporate privacy practice. Despite differences in benchmark scores, our results suggest that European privacy leaders seem to understand and respect the need for their companies to have policies and programs that respect employees and other data subjects. In comparison to U.S. companies, European organizations appear to place more constraints on the use and sharing of consumer and employee data. In addition, European companies appear to provide all data subjects with an avenue to express choice or consent regarding acceptable data uses and sharing. This study also shows that European privacy leaders are more likely to hold the view or belief that their role is inextricably tied to advancing a culture of responsible information use rather than establishing technical or administrative controls over privacy and data protection. Our study provides comparative information on what European and U.S. companies are doing to achieve privacy programs that protect the plethora of personal information collected, used, 1 In total, 16 European companies included in the Survey have divisions or wholly owned affiliates in the United States. All 29 U.S. companies included in the Survey have affiliated operations in European countries. Ponemon Institute© Page 2 shared and retained. This study also seeks to determine what companies are doing to move beyond the compliance mindset. We want to understand if progressive companies in Europe and the United States are starting to view privacy as an opportunity to build trusted relationships with stakeholders to increase revenue and strengthen reputation and brand. Key Findings: 1. U.S. companies are more likely to have a dedicated privacy officer or leader responsible for privacy issues than comparable European companies. U.S. privacy leaders tend to have higher levels of reporting authority than European privacy officers. In addition, U.S. privacy programs are much more likely to operate outside of the proverbial “silo” – where a cross- functional team representing different constituencies provides governance and oversight. 2. European companies are much more likely to have privacy practices that restrict or limit the sharing of sensitive personal information. Many of participating European companies have a strict “no-share” policy for consumer and employee data. For those European companies that do share, these organizations appear to be very careful to obtain the informed consent of data subjects in advance of moving data to third parties. In addition, none of the European companies sell personal information about customers or employees. This is not the case for more than half of the participating U.S. organizations. 3. European companies are more likely to have a privacy policy that addresses employee privacy rights. In addition, European companies are more likely to provide employees with choice or consent on how information is used or shared. 4. European companies appear to be more likely than U.S. firms to provide their customers and employees with basic access and correction rights. 5. U.S. companies are more likely than European companies to offer privacy training and awareness programs for employees. In addition, U.S. companies are more likely to impose mandatory training for all employees who routinely use sensitive personal information. 6. U.S. companies are more transparent or open with vendors and other business partners about corporate privacy policies and practices. In contrast, many European companies do not appear willing to share internal information about privacy policies with business partners. 7. Privacy leaders in U.S. companies are more involved in the review and monitoring of the company’s marketing and customer contact programs than in European companies. Very few European privacy leaders monitor marketing campaigns for compliance with the company’s privacy standards or law. 8. U.S. companies are more likely than European firms to require all vendors, contractors and other third parties that acquire sensitive personal information to comply with rigorous data security guidelines or practices. In addition, U.S. companies are more likely to audit third parties for compliance with standard contractual terms for privacy and data protection. 9. U.S. companies appear to implement more information security technologies to protect or safeguard sensitive personal information than European firms. Examples of these technologies including encryption, intrusion detection systems, and Web site monitoring. 10. European companies appear to have more rigorous data export controls, especially when moving personal information about employees and customers, to non-European Union nations. In addition, European companies are more likely to incorporate privacy program objectives that focus on data relevancy and data adequacy. 11. European privacy leaders are much more likely to believe that they have ample resources to manage their company’s privacy commitments and obligations than U.S. privacy leaders. Ponemon Institute© Page 3 12. European privacy leaders appear to have a more positive working relationship with functional regulators (data protection authorities) than U.S. privacy leaders. II. Introduction & Caveats This report provides the results of a small, non-scientific benchmark study about the corporate privacy and data protection practices of business organizations in Europe and the United States. Ponemon Institute is a “think tank” dedicated to the study of responsible information management practices within business and government. While we conducted this research in collaboration with White & Case, all empirical results were captured, compiled and analyzed independently by the Institute. Privacy management is a relatively new organizational activity in many organizations. As a consequence, there is a lack of information about the practices and processes employed by companies to mitigate business risk and ensure compliance. This study seeks to shed light on the emerging area of privacy management by attempting to answer four basic questions: 1. What are leading companies doing today to ensure adequate compliance with the rash of new privacy and data protection compliance requirements in Europe and the U.S.? 2. Is there a common set of business practices employed by leading companies in Europe and the U.S. today to ensure reasonable protection and controls over the collection, use, sharing and protection of personal information? 3. Are there apparent gaps in privacy and data protection activities that create vulnerabilities for companies in terms of their privacy and data protection responsibilities? 4. Do Europe and U.S. corporate privacy and data protection practices differ? If so, are these differences due to regulation or cultural orientation to responsible information management? Because this is the first benchmark study that seeks to compare European and U.S. companies, we anticipate that there will be many open issues and potential areas for future improvement to the basic research. We welcome your suggestions and constructive input before implementing follow-up studies. The Information Commissioner's Office of the UK rev