2021 Incident Benchmarking Shows Untapped Potential of Digital Transformation in Privacy Management. 

Privacy Program Metrics

As I continue to share my thoughts on the recently published 2022 RadarFirst Privacy Incident Benchmark Report, I turn my attention to the topic of unlocking your digital transformation strategy. The phrase “digital transformation” is commonly used, and highly desired in maturing companies and industries; however, successful outcomes require the same rigor as we take with, say, product testing.

What is digital transformation and why is continued testing important?

In our benchmark report, two metrics started me thinking about digital transformation completeness. First, the report looked at the trend of risk factor categories: paper, electronic, or verbal/visual. In other words, in what medium was the data disclosed? 

As you might expect, the recent years have seen a decline in paper-related incidents, until 2021 when we observed a reversal in this trend. The chart below illustrates our findings: 

The second metric that caught my attention was the incident “intent” metric: malicious, non-malicious, or unintentional. By far the leading category is “unintentional” and the subject of ongoing internal employee training as well as systems attempting to prevent these incidents (e.g., misdirected email). 

As the chart below shows, unintentional incidents have been on the decline, except in 2021 when they reversed course and increased.

Now, in both charts above, I will acknowledge that one data point does not make a trend. However, since this blog is not a definitive statement, I’ll venture out on a limb and speculate that remote work, due to COVID-19 and the subsequent ongoing desire to continue working in this manner, could be a factor.

Human Behavior Alongside Digital Transformation

As we all know, most office workers were pushed out to remote worksites (i.e., their homes). My initial reaction was that this would yield more “electronic” category incidents and continue to drive down the occurrence of “paper”. When trying to rationalize the two trend reversals discussed above, I began to think about human behavior. 

Many of these digital transformation projects might well have started while in-office work was still common, pre-COVID, where less efficient human behaviors were able to survive in a more forgiving environment. 

Let me give you a real-world example I heard from a former business acquaintance. An electronic invoice approval process was put in place to improve efficiency of accounting operations. As an extension to the created digital workflow, an interim ad hoc step was added — an accounting department person would walk down the hall and tell the soon-to-be recipient of the next workflow step that “it was coming” and then return to their desk and send it. 

The recipient was on watch and usually responded quickly. Then along came COVID and work from home, and away went the walk down the hallway and early heads up – and so did responsiveness. 

The conclusion from the customer was that they did not test their new digitally transformed process by having everyone work from home for a few days while they had the luxury of working from the office. In other words, they didn’t tabletop a few disruptive scenarios to see if and how their workflow would hold up amid conditions other than business as usual. In this case, the digital workflow needed a more obvious notification than the ad hoc human method used in the office.

Back to our findings. I wonder if the remote work we all encountered in 2021 negatively impacted the ongoing digital transformation of the privacy management function and, as a result, we took a minor step backward when operating in an unfamiliar, untested environment?  

I will finish with the recommendation that a digital transformation project will be more successful when, in addition to the standard QA tests, it is held up against a set of disruptions imagined in a tabletop exercise you might find in a business continuity plan.