Gartner Blog Network

Don’t Tackle Data Privacy Alone

by Vivek Swaminathan  |  May 14, 2019  |  Comments Off on Don’t Tackle Data Privacy Alone

Contributed by  Bishwa Pandey, Gartner for Midsize Enterprises
Transparency around data privacy is not optional. A year after GDPR became a law, ten other countries strengthened data privacy legislation to increase protection of employee and customer data. With 58% of cyber-attacks targeting Midsize Enterprises (MSEs) and the average cost of a data breach rising to $3.86 million per data breach[1], MSEs are expected to strengthen data privacy capabilities to maintain customer trust.
The most common misconception around data privacy, however, is that the CIO is always accountable. Although the CIO plays a vital role in data privacy, it is an enterprise-wide concern that needs the support of other risk functions. Privacy and security are the foundational components of building trust and require IT and Legal leader to work together toward this goal.
The following three components are essential foundational steps for the success of data privacy initiatives:
  1. Anchor collaboration between IT and risk functions on shared objectives. The evolving regulatory landscape has resulted in a shared objective for information security, privacy, and compliance – trust. IT and risk functions need to work together to establish credibility, demonstrate transparency regarding their use of customer data and give customers more control over their data. Establish ashared agenda with the General Counsel to manage privacy in the digital business.
  2. Translate privacy objectives into a shared strategy. Maintaining a standardized policy will help streamline communications concerning privacy across different risk functions. The CIO and General Counsel should leverage a standard privacy policy for their organization that ensures the protection of sensitive data.
  3. Embed privacy awareness in existing awareness training programs. As more employees handle sensitive customer data, CIOs at midsized companies should pay attention to the privacy implications of greater customer data exposure. CIOs and GCs should work to embed privacy training and awareness language into existing training that promotes the application of key privacy concepts and keeps employees aware of new and upcoming privacy laws. An effective way to start is to create simple privacy posters that highlight the key elements of the privacy practices.
Data privacy is not the sole responsibility of the CIO; it is a shared responsibility. IT and risk leaders should follow a structured approach based on shared objectives, clear communication between risk functions and increased awareness on privacy to eliminate duplication of effort while ensuring compliance.  
Access additional midsize enterprise guidance on data privacy on or tap into our community of Midsize Enterprise Executive Partners to rethink security for your organization.  Can’t access links?  Talk to us about becoming a client.
Source: [1] 2018 Cost of a Data Breach Study: Global Overview, Ponemon Institute

Additional Resources

View Free, Relevant Gartner Research

Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.

Read Free Gartner Research


Vivek Swaminathan
VP, Team Manager, Midsize Enterprise
9 years at Gartner

Vivek Swaminathan is a Vice President of Peer and Practitioner Research for Midsized Enterprises at Gartner. His team supports a peer network of CIOs at midsized companies with tools, benchmarks and case studies designed to empower small IT teams to do big things. Critically, teams that face similar challenges as larger companies need innovative and actionable solutions to deliver the same results with fewer people. Read Full Bio

Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.