Organizations are investing more in privacy because they view it as a critical business priority, but there’s a major disconnect between consumer expectations and how organizations are actually handling data.
That’s according to Cisco Systems Inc.’s newest 2023 Data Privacy Benchmark Study, which also revealed that customers believe companies can do more, especially when using artificial intelligence with their personal data.
This contrast poses an interesting challenge for corporate chief information security officers, as many have them have told me that consumer privacy has become a top initiative because of the intense media pressure every time a breach occurs. The Cisco report clearly shows that despite the increased focus and budget, businesses can’t seem to close the gap with customer expectations.
The study, released Jan. 24, is Cisco’s sixth annual global study gauging perspectives on data privacy strategies. Cisco anonymously surveyed more than 4,700 security professionals from 26 geographies in 2022. The survey respondents come from various industries and company sizes. The study also includes results from Cisco’s 2022 Consumer Privacy Survey that was also conducted in 2022, surveying 2,600 adults in 12 geographies.
For most organizations (95%), privacy is a business imperative and an integral part of their organizations’ culture. Ninety-four percent of the respondents said customers would not buy from their company if data was not properly protected, while 81% agreed that the way an organization treats data reveals a lot about how it respects customer privacy.
Given the growing importance of privacy, it’s no surprise that organizations continue to invest in it. Despite a difficult economic climate, spending on privacy averaged $2.7 million in 2022, compared with $1.2 million just three years ago. The most significant growth between 2021 and 2022 took place at smaller organizations. For those with 50 to 249 employees, spending increased more than 17%, to $2 million. For those with 500 to 999 employees, spending rose more than 13%, to $2.6 million. Spending at larger organizations remained mostly unchanged after significant increases from 2019 to 2020.
Organizations view privacy as an attractive financial investment. In fact, the average organization reported getting 1.8 times return on their privacy investments. Thirty-six percent of organizations said they are getting returns at least twice their spending, up from 32% last year. The key benefits from privacy cited by the respondents include reducing sales delays, mitigating losses from data breaches, enabling innovation, achieving operational efficiency, building trust with customers, and making their company more attractive.
Yet when it comes to building trust, many organizations are not on the same page with consumers. According to findings from Cisco’s 2022 consumer survey, 60% of consumers worry about how organizations are using AI, while 65% said they’ve already lost trust in organizations over their AI practices. Consumers also said the best way to make them more comfortable would be to provide an opt-out option for AI.
I find the consumer demand for AI fascinating because just a few years ago, the sentiment was very much anti-AI, since no one wanted machines continually looking at their data. Sure, it might protect them, but the fear is it may be used for sales and marketing purposes. It seems consumers now recognize the value AI can bring to privacy. The challenge for businesses is that AI brings an expectation of perfection and even the best AI tools aren’t capable of that.
Although 96% of organizations believe they have an ethical obligation to treat data properly, their priorities are not consistent with those named by consumers. According to this year’s benchmark study, 30% of organizations named compliance as the most important priority for building customer trust, followed by transparency (26%). However, in the consumer survey, 39% of the respondents cited providing easily accessible and clear information about how their data is being used as the top priority.
The findings from both surveys reveal that compliance is not enough to build trust. Organizations must treat privacy as a critical business priority and ensure that everyone across the organization plays a role in protecting data. In fact, 95% of the respondents in the benchmark study said all employees need to know how to safeguard data privacy.
Privacy legislation plays an important role in ensuring that governments hold organizations accountable for how they manage personal data. Such laws now exist in 157 countries, an increase from 145 just last year. Even though complying with privacy laws can be costly and time-consuming, 79% of organizations believe they have had a positive impact.
Most organizations (90%) feel that a global provider operating at scale can better protect their data than a local provider. This is surprising, considering that many governments and organizations have data localization requirements in place that force data to be kept within a country or region. While conducting its research, Cisco found that localization isn’t optimal when taking into account costs, security and other tradeoffs. According to the study, 89% of organizations agree that data localization adds significant cost to their operations.
In conclusion, Cisco makes several recommendations based on the survey findings. First, it recommends that organization continue to invest in privacy and involve security and information technology professionals, who deal directly with personal data processing and protection.
Organizations should also be more transparent with their customers about how their personal data is used. For example, when using AI, companies should provide management options to customers.
Lastly, data localization is not always the answer since global providers are better equipped at tackling today’s complex privacy requirements.