Benchmark Study of European and U.S. Corporate Privacy Practices

Benchmark Study of European and U.S. Corporate Privacy Practices

-

English
25 Pages
Read
Download
Downloading requires you to have access to the YouScribe library
Learn all about the services we offer

Description





Sponsored by the global law firm of WHITE & CASE LLP






Independently conducted by




Benchmark Study of European and U.S.
Corporate Privacy Practices




Report April 26, 2006








Ponemon Institute© Please Do Not Share Without Permission


Benchmark Study of European and U.S. Corporate Privacy Practices

I. Executive Summary

White & Case, LLP and Ponemon Institute, LLC are pleased to present the summary results of
the first study that benchmarks the corporate privacy practices of a matched sample of European
and U.S. multinational companies.

Results from the Study of European and U.S. Corporate Privacy Practices (hereafter termed the
Study) provide a meaningful baseline for measuring and monitoring trends about how
multinational organizations in two different regions of the world are facing regulatory requirements
and creating privacy programs that build trust with their key stakeholders.

Drawing from a matched sample of large European and U.S. companies, our study addresses
1eight key areas in the typical corporate privacy program. The eight areas are: Privacy Policy,
Communications & Training, Privacy Management, Data Security Methods, Privacy Compliance,
Choice & Consent, Cross-National Standards, and Redress.

A comprehensive privacy and data protection program with these eight areas is becoming
increasingly important for several reasons. ...

Subjects

Informations

Published by
Reads 83
Language English
Document size 2 MB
Report a problem
Sponsored by the global law firm of WHITE & CASE LLP Independently conducted by Benchmark Study of European and U.S. Corporate Privacy Practices Report April 26, 2006 Ponemon Institute© Please Do Not Share Without Permission Benchmark Study of European and U.S. Corporate Privacy Practices I. Executive Summary White & Case, LLP and Ponemon Institute, LLC are pleased to present the summary results of the first study that benchmarks the corporate privacy practices of a matched sample of European and U.S. multinational companies. Results from the Study of European and U.S. Corporate Privacy Practices (hereafter termed the Study) provide a meaningful baseline for measuring and monitoring trends about how multinational organizations in two different regions of the world are facing regulatory requirements and creating privacy programs that build trust with their key stakeholders. Drawing from a matched sample of large European and U.S. companies, our study addresses 1eight key areas in the typical corporate privacy program. The eight areas are: Privacy Policy, Communications & Training, Privacy Management, Data Security Methods, Privacy Compliance, Choice & Consent, Cross-National Standards, and Redress. A comprehensive privacy and data protection program with these eight areas is becoming increasingly important for several reasons. These include, but are not limited to:  The organization’s need to comply with the plethora of emerging privacy legislation and regulation;  The adoption of enabling technologies in the collection, use and storage of personal data; and  The increased expectation that organizations will take the necessary steps to safeguard their privacy commitments to customers, consumers and employees. Findings of our study suggest that both European and U.S. organizations are approaching their privacy initiative as one aimed at achieving compliance with law or risk management. For example, only 50% of European and 24% of U.S. privacy leaders believe that corporate privacy is an important part of their companies’ brand or image in the marketplace. In general, our findings suggest that U.S. companies are engaging in more security and control oriented compliance activities than European companies. As a result, U.S. corporate benchmark scores are higher than European scores in five of the eight areas of corporate privacy practice. Despite differences in benchmark scores, our results suggest that European privacy leaders seem to understand and respect the need for their companies to have policies and programs that respect employees and other data subjects. In comparison to U.S. companies, European organizations appear to place more constraints on the use and sharing of consumer and employee data. In addition, European companies appear to provide all data subjects with an avenue to express choice or consent regarding acceptable data uses and sharing. This study also shows that European privacy leaders are more likely to hold the view or belief that their role is inextricably tied to advancing a culture of responsible information use rather than establishing technical or administrative controls over privacy and data protection. Our study provides comparative information on what European and U.S. companies are doing to achieve privacy programs that protect the plethora of personal information collected, used, 1 In total, 16 European companies included in the Survey have divisions or wholly owned affiliates in the United States. All 29 U.S. companies included in the Survey have affiliated operations in European countries. Ponemon Institute© Page 2 shared and retained. This study also seeks to determine what companies are doing to move beyond the compliance mindset. We want to understand if progressive companies in Europe and the United States are starting to view privacy as an opportunity to build trusted relationships with stakeholders to increase revenue and strengthen reputation and brand. Key Findings: 1. U.S. companies are more likely to have a dedicated privacy officer or leader responsible for privacy issues than comparable European companies. U.S. privacy leaders tend to have higher levels of reporting authority than European privacy officers. In addition, U.S. privacy programs are much more likely to operate outside of the proverbial “silo” – where a cross- functional team representing different constituencies provides governance and oversight. 2. European companies are much more likely to have privacy practices that restrict or limit the sharing of sensitive personal information. Many of participating European companies have a strict “no-share” policy for consumer and employee data. For those European companies that do share, these organizations appear to be very careful to obtain the informed consent of data subjects in advance of moving data to third parties. In addition, none of the European companies sell personal information about customers or employees. This is not the case for more than half of the participating U.S. organizations. 3. European companies are more likely to have a privacy policy that addresses employee privacy rights. In addition, European companies are more likely to provide employees with choice or consent on how information is used or shared. 4. European companies appear to be more likely than U.S. firms to provide their customers and employees with basic access and correction rights. 5. U.S. companies are more likely than European companies to offer privacy training and awareness programs for employees. In addition, U.S. companies are more likely to impose mandatory training for all employees who routinely use sensitive personal information. 6. U.S. companies are more transparent or open with vendors and other business partners about corporate privacy policies and practices. In contrast, many European companies do not appear willing to share internal information about privacy policies with business partners. 7. Privacy leaders in U.S. companies are more involved in the review and monitoring of the company’s marketing and customer contact programs than in European companies. Very few European privacy leaders monitor marketing campaigns for compliance with the company’s privacy standards or law. 8. U.S. companies are more likely than European firms to require all vendors, contractors and other third parties that acquire sensitive personal information to comply with rigorous data security guidelines or practices. In addition, U.S. companies are more likely to audit third parties for compliance with standard contractual terms for privacy and data protection. 9. U.S. companies appear to implement more information security technologies to protect or safeguard sensitive personal information than European firms. Examples of these technologies including encryption, intrusion detection systems, and Web site monitoring. 10. European companies appear to have more rigorous data export controls, especially when moving personal information about employees and customers, to non-European Union nations. In addition, European companies are more likely to incorporate privacy program objectives that focus on data relevancy and data adequacy. 11. European privacy leaders are much more likely to believe that they have ample resources to manage their company’s privacy commitments and obligations than U.S. privacy leaders. Ponemon Institute© Page 3 12. European privacy leaders appear to have a more positive working relationship with functional regulators (data protection authorities) than U.S. privacy leaders. II. Introduction & Caveats This report provides the results of a small, non-scientific benchmark study about the corporate privacy and data protection practices of business organizations in Europe and the United States. Ponemon Institute is a “think tank” dedicated to the study of responsible information management practices within business and government. While we conducted this research in collaboration with White & Case, all empirical results were captured, compiled and analyzed independently by the Institute. Privacy management is a relatively new organizational activity in many organizations. As a consequence, there is a lack of information about the practices and processes employed by companies to mitigate business risk and ensure compliance. This study seeks to shed light on the emerging area of privacy management by attempting to answer four basic questions: 1. What are leading companies doing today to ensure adequate compliance with the rash of new privacy and data protection compliance requirements in Europe and the U.S.? 2. Is there a common set of business practices employed by leading companies in Europe and the U.S. today to ensure reasonable protection and controls over the collection, use, sharing and protection of personal information? 3. Are there apparent gaps in privacy and data protection activities that create vulnerabilities for companies in terms of their privacy and data protection responsibilities? 4. Do Europe and U.S. corporate privacy and data protection practices differ? If so, are these differences due to regulation or cultural orientation to responsible information management? Because this is the first benchmark study that seeks to compare European and U.S. companies, we anticipate that there will be many open issues and potential areas for future improvement to the basic research. We welcome your suggestions and constructive input before implementing follow-up studies. The Information Commissioner's Office of the UK reviewed the draft questionnaire proposed for use in eliciting the responses reported in this Survey, and suggested certain modifications, the most significant of which were incorporated into the final questionnaire. The Commission Nationale de l'Informatique et des Libertes (CNIL) reviewed the draft questionnaire proposed for use in eliciting responses reported in this Survey. Caveats on Benchmark Findings There are inherent limitations to survey research that need to be carefully considered before drawing conclusions from findings. The following items are specific limitations that are germane to the present study.  Non-statistical results. The purpose of this study is descriptive rather than normative inference. The current study draws upon a representative (non-statistical) sample of large organizations, mostly composed of European or U.S. publicly listed corporations (44 named on this year’s Global Fortune 1,000 list). Statistical inferences, margins of error and confidence intervals cannot be applied to these data given the nature and sampling process used.  Sampling-frame bias. The current findings are based on a small representative sample of completed surveys. As explained below, companies were pre-selected and contacted by Ponemon Institute based solely on organizational size and reputation. Non-response bias was not tested so it is always possible companies that did not participate are substantially Ponemon Institute© Page 4 different in terms of benchmark performance criteria from those that completed the instrument.  Company-specific information. The benchmark information is sensitive and confidential. Thus, the collection instrument does not capture company-identifying information. It also allows individuals to use categorical response variables to disclose demographic information about the company and industry category. Industry classification relies on self-reported results.  Unmeasured factors. To keep the survey concise and focused, we decided to omit other important variables from our analyses such as leading trends and organizational characteristics. The extent to which omitted variables might explain benchmark results cannot be estimated at this time.  Self-reported results. The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide a truthful response. III. Benchmark Survey Methods The benchmark survey is designed to collect descriptive information from privacy and data protection practitioners in a timely and cost-efficient manner. The number of survey items is limited to key business issues that cut across different industry sectors. We believe that a survey focusing on business issues (rather than compliance issues) yields a higher response rate and better quality of results. We also use a paper instrument, rather than electronic (Web) survey, to provide greater assurances of confidentiality. To keep the survey to a manageable size, we carefully limited items to only those business factors that we consider crucial to the research objective. Hence, items focus on eight core areas of privacy management across the enterprise. Other descriptive items explore key relationships between organizational variables and descriptive responses to benchmark items. In 2004, Ponemon Institute conducted a benchmark survey comparing the privacy practices of Canadian companies with those of US companies, and found that a higher percentage of Canadian companies offered a greater degree of privacy. Ponemon Institute developed a proprietary benchmark survey instrument in earlier studies presented at workshops sponsored by the Federal Trade Commission and the International 2Association of Privacy Professionals. The instrument used in the present study was modified to capture questions that focus on cross-national differences in privacy compliance. The edited version of the instrument was reviewed and approved by White & Case before launching data collection efforts. In total, the benchmark survey instrument contains 132 descriptive items, all reported in a later section of this report. The study captures organizational demographic items for sample analysis and comparison (as an appendix to the survey instrument). A fixed-format design is used for capturing responses to all benchmark items. The following are the fixed response categories to all benchmark items:  Yes – denotes a positive response to one survey item.  No – denotes a negative response to one survey item.  Unsure – denotes insufficient information available to the individual responding to one survey item. 2 See the 2003 Benchmark Study of Corporate Privacy Practices: IAPP & Ponemon Institute Report [presented at United States Federal Trade Commission Workshop on Privacy], June 5, 2003. Also, see the 2005 Benchmark Study of Corporate Privacy Practices: Ponemon Institute Report, July 11, 2005. Ponemon Institute© Page 5  Exception – which is additional contextual information to explain, Yes, No or Unsure responses to each given survey item. This data is optional only.  Blank – This is a no comment response and is not counted in the analysis. Analysis of benchmark responses focuses on the percent of positive (Yes) responses, defined as Yes (Adjusted for Reverse Scored Items)/(Yes + No + Unsure). The percent of Yes response variable is our surrogate for measuring good privacy practices. No, unsure or blank responses provide insufficient information to draw any conclusions about the efficacy of corporate privacy efforts. Survey reliability was determined by testing the percentage of survey completion. A 100% completion rate means that all participating companies responded to the item with either a yes, no or unsure response (i.e., no blanks). Approximately half the completed benchmark surveys achieved over a 90% completion rate. The average percentage of completion to all 132 survey items was 101 out of 132 items – or a 77% completion rate. Three companies completed all items. The lowest rate of completion was 80 out of 132 items – or a 61% completion rate. Assurances were provided by Ponemon Institute that company-specific information would not be revealed without the express consent or permission of the company. Ponemon Institute also signed strict one-way confidentiality agreements to ensure compliance to our own data privacy commitments. Ponemon Institute contacted a large number of organizations that were considered potential candidates for participation based on their size and data management practices. Most of this outreach and recruitment occurred before December 2005. The survey instrument does not capture company-specific information of any kind. Subject materials contain no tracking codes or other methods that could link responses to identity. In some instances, subjects returned their survey in a business envelope. In these cases, we removed the instrument and destroyed the envelope. In other instances, individuals sent their completed survey through e-mail. Again, in these cases, the instrument was printed and the e- mail immediately deleted. Each instrument was completed by the company and carefully screened by the researcher to determine completeness and assess accuracy. Only one instrument was rejected based on too many incomplete or blank responses. In addition, each instrument was reviewed for consistency. Another two instruments were rejected because of inconsistent or erroneous responses. All survey results were captured from mid December 2005 to early April 2006. Our sampling procedure was organized into two stages. In the first stage we selected large multinational companies that are headquartered (or have major operations) within a European Union nation. Primary selection of European benchmark companies allowed us to identify an approximate matched sample of U.S. multinationals. In total, companies in many different industry sectors expressed interest in participating in this study. The final sample of European multinationals included 18 companies in 10 industry sectors. The second stage of our sample was to select U.S. multinational companies that were matched on approximate size (in terms of revenue) and industry classifications. In total, 29 U.S. 3multinationals participated in our benchmark analysis. Table 1 provides a summary recap of sample response results from European (18) and U.S. (29) companies, totaling 47 separate benchmark surveys. Table 1: Total Sample by industry classification Companies U.S. Europe Financial Services 12 8 4 3 Please note that several of the U.S. companies participated in earlier Ponemon Institute benchmark studies. Ponemon Institute© Page 6 Consumer Products 6 4 2 Manufacturing 6 4 2 Pharma 5 3 2 Technology/Services 5 3 2 Retail 4 3 1 Telecom 3 1 2 Energy 3 2 1 Transportation 3 1 2 Total 47 29 18 Pie Chart 1 below shows the distribution of 47 companies according to industry classification. The largest sample segments are financial services (25%), consumer products (13%), and manufacturing (13%). The remaining industry groups, each representing less than 11% of the sample, include: technology/services, retail, telecom, energy and transportation. Pie Chart 1: Benchmark Sample by Industry Classification 6% 6% 25% 6% 9% 13%11% 11% 13% Financial Services Consumer Products Manufacturing Pharma Technology/Services Retail Telecom Energy Transportation IV. Results of the Study Our benchmark results are presented according to the eight broadly defined privacy program categories from the survey instrument. Bar Chart 1 reports summarized benchmark survey responses according to all eight categories examined for the European and U.S. benchmark samples. The order presented below is by each category’s average “Yes” response to the benchmark survey for 47 companies. As shown, redress has the lowest average benchmark score and policy has the highest average benchmark score. Ponemon Institute© Page 7 Bar Chart 1: Average Benchmark Results for European and U.S. Samples U.S. Benchmark Sample (n=29) European Benchmark Sample (n=18) 73%Policy 62% 41% Data Security 56% 32%Communication & Training 54% 35%Privacy Management 52% 54%Privacy Compliance 61% 54% Cross-national standards 36% 54%Choice & Consent 32% 32%Redress 37% 0% 10% 20% 30% 40% 50% 60% 70% 80% This chart shows where companies are devoting most of their efforts and resources. The percent of positive responses across eight categories varies considerably for European and U.S. companies. For European companies, the most common activities concern policy and choice and consent for data subjects. Privacy management and redress activities appear to be the least common program elements for European companies. For U.S. companies, the most common privacy program activities are policy, data security and communications and training. The least 4common activities are redress and choice and consent for data subjects. Bar Chart 2 provides benchmark survey differences between European and U.S. companies. Each bar is defined as the overall benchmark category difference between European and U.S. companies. A positive percentage (termed Diff) implies that the European results outperform U.S. results, and a negative percentage implies the opposite. 4 Please note that the results for U.S. companies track closely to earlier benchmark survey results reported in the 2005 Benchmark Study of Corporate Privacy Practices, Ponemon Institute Report, July 11, 2005. Ponemon Institute© Page 8 Bar Chart 2: Benchmark Category Differences between European and U.S. Companies 23%25% 18%20% 15% 11% 10% 5% 0% Choice & Consent Cross-national Policy Redress Privacy Data Security Privacy Communication & -5% standards Compliance Management Training -5% -7%-10% -15% -15% -17%-20% -22%-25% As can be seen, European companies outperform U.S. companies in the categories of policy, choice and consent and cross-national standards. On the other hand, U.S. companies outperform European companies in the categories of privacy management, communications and training, data security, privacy compliance and redress. With respect to the eight privacy program areas, the largest positive difference between European and U.S. companies concerns the category choice & consent (Diff = 23%). The most significant negative difference is in the category communications & training (Diff = - 22%). In general, our findings suggest that European and U.S. companies differ in terms of methods and approaches to managing privacy commitments and obligations to data subjects. Bar Chart 3 reports the distribution of all 132 benchmark questions by the range of percentage differences between European and U.S. companies captured in this study. The figure shows that the most positive percentage difference is 61% for survey item “Does your company share customer information with nonaffiliated third-parties?” The largest negative percentage difference is -55% for survey item “Is there a cross-functional committee of the company's business leaders involved in managing the privacy program?” In total, 43 benchmark survey items have percentage differences that are ± 10%. A total of 53 survey items (39%) are positive (suggesting Europe is higher than the U.S. benchmark). A total of 73 survey items (55%) are negative (suggesting the U.S. is higher than Europe for this benchmark item). For the remaining seven benchmark survey items (6%), European and U.S. results are exactly the same. Ponemon Institute© Page 9 Bar Chart 3: Distribution of Percentage Differences for 132 Survey Items 50 4 345 40 35 30 25 1 820 1 7 1 5 1 5 15 10 76 5 5 2 21 1 0 > 60 50 to 60% 40 to 50% 30 to 40% 20 to 30% 10 to 20% -10 to 10%-10 to -20%-20 to -30%-30 to -40%-40 to -50% < -50 Bar Chart 4 reports the overall benchmark scores (percentage of Yes responses) for ten industry sectors. As shown, the average benchmark score is highest for organizations in the financial services industry and lowest for consumer products. The range of benchmark scores by industry is from 49.9% to 41.2%. Bar Chart 4: Average Percentage Yes Score by Industry Classification Financial Services 49.9% Pharmaceuticals 48.5% Technology/Services 48.3% Telecom 47.7% Transportation 47.5% Energy 44.9% Retail 43.2% Manufacturing 41.4% Consumer Products 41.2% 40% 41% 42% 43% 44% 45% 46% 47% 48% 49% 50% The remaining analyses focus on the eight privacy program categories. Each category’s survey items are presented in percentage format for both the European and U.S. samples. The percentage difference (Diff) is presented for each survey item to show contrast between these two benchmark groups. Benchmarks on Corporate Privacy Policy The primary purpose of a privacy policy is to document the company’s practices and procedures for collecting, using, sharing and protecting personal information about customers, consumers and employees. Table 2 reports the summarized results for benchmark survey items pertaining to corporate privacy policies for European and U.S. companies. Ponemon Institute© Page 10