Press Release


 ISACA Privacy Survey: Companies Are Not Adequately Protecting Consumers’ Personal Information 

Rolling Meadows, IL, USA (29 September 2015)—According to a global survey of privacy and risk professionals released today, more than half of the 546 respondents say consumers should not feel confident that companies are adequately protecting their information. The study, conducted by global IT association ISACA, also found that only 29 percent of the respondents are very confident in their enterprise’s ability to ensure the privacy of its sensitive data. In fact, nearly one in five said they have experienced a material privacy breach.

According to ISACA’s survey report, Keeping a Lock on Privacy: How Enterprises Are Managing Their Privacy Function, the seven key components of an effective privacy program are:

  1. Appropriate staffing
  2. Positioning of privacy function at a high level in the organization chart
  3. Privacy-protection culture
  4. Privacy awareness training
  5. Globally accepted frameworks/standards
  6. Metrics and monitoring program effectiveness
  7. Compliance with data-protection legal requirements

Respondents cite complex international legal and regulatory landscape and lack of clarity on roles and responsibilities as the two main barriers to establishing a successful privacy program.
The most commonly reported privacy failures are:

  • Lack of training or poor training
  • Data breach/leakage
  • Not performing a risk assessment

However, the survey also identified some bright spots. More than 9 in 10 organizations have assigned someone to be accountable for privacy, and the primary positions given this responsibility are CISOs and chief privacy officers (CPOs) who report directly to the CEO. Additionally, the majority (76 percent) of organizations provide privacy awareness training to staff.

“Organizations with effective privacy programs understand that these programs begin with a system of governance and management, and are supported by a team with defined privacy responsibilities,” said Yves Le Roux, chair of ISACA’s Privacy Working Group, principal consultant of CA Technologies.

For full results, visit
ISACA will use the survey data to help create additional privacy guidance, including a set of guiding principles in 2016.


ISACA ( helps global professionals lead, adapt and assure trust in an evolving digital world by offering innovative and world-class knowledge, standards, networking, credentialing and career development. Established in 1969, ISACA is a global nonprofit association of 140,000 professionals in 180 countries. ISACA also offers the Cybersecurity Nexus (CSX), a holistic cybersecurity resource, and COBIT, a business framework to govern enterprise technology.





Kristen Kessinger, +1.847.660.5512,

Joanne Duffer, +1.847.660.5564,