Data risk management, retention and deletion have emerged as some of the areas that require additional awareness, education and training in the first annual report of the Global Privacy Culture Survey.
The landmark research project, developed by Privacy Culture in conjunction with law firm Dentons, Queen Mary University and consultancy Capgemini, seeks to understand employee attitudes, knowledge and behaviour towards data privacy and protection.
A total of 3,500 employees across 10 international cross-sector organisations in 52 different countries took part in a pilot enabled by Privacy Culture’s Culture Horizon platform.
The first annual report published today, shows data sharing and deletion “still causes confusion” among employees, particularly when dealing with third parties and the ability to recognise and report an individual data rights request is “not always clear.”
The five areas identified as lowest performing were risk management, records of processing, retention and deletion, transparency and policies, training, awareness and culture.
The report said: “It’s notable that these themes include more technical aspects of data protection, privacy, security, and governance, and knowledge and behaviour will be heavily dependent on the maturity of an organisation’s data protection and privacy programme, as well as whether concepts such as the Data Protection Impact Assessment feature in general on-boarding and annual compliance training.”
The top three highest performing themes across all industries were data breach and incident management, governance and accountability and compliance and monitoring.
“This is heartening for Data Protection Officers and Chief Information Security Officers alike as our follow-on workshops indicate that some of the foundational elements of privacy and security i.e. how to recognise and report a potential data incident, are landing with 97% of respondents feeling confident that they can recognise the consequences of not reporting a data incident,” the report said.
Participating organisations were provided with a comprehensive report that includes best and worst performing themes, deep insights into specific issues at function and country level, as well as high-level recommendations around how to address them. Individual results were then compared against an overall benchmark.
The 10-minute survey covers 12 themes including Governance & Accountability, Retention & Deletion, Data Security, and Data incident reporting, with questions relevant to GDPR, and other global privacy standards and laws from around the world.
Respondents completed 50 questions using the psychometric Likert scale, that records employee views anonymously from “strongly agree” to “strongly disagree”. Survey findings are supplemented with conversations with individuals in different areas of the organisation to highlight key insights into why employees may not be behaving in the expected privacy-compliant way.
Headline reports are likely to be published annually for 10 years, to allow the tracking of attitudes and patterns of behaviour over time.
The project was first announced to mark Data Privacy Day in January and launched alongside the Culture Horizon subscription product that allows people to compare, sort and extract survey data relating to different functions, geography, location, jurisdiction and industry sectors. The aim is to provide tools to enable organisations to identify skills and training gaps.
To find out more about the survey and the Culture Horizon subscription product click here.