This contrasts with 2012, when responsibility for privacy and regulation appeared to be shifting towards a dedicated privacy officer. The changes in 2013 may not necessarily be a beneficial change either, however, as privacy programs should first mature and security teams could get overloaded with the extra responsibility.
"With data security, people think of it as a technical thing," said Shey. "But with privacy, there are a lot more cooks in the kitchen. Because of that, you'll see a greater variation in the proportion of folks."
Shey went on to give examples of other involved parties, including those in a company's legal department, given the risk in compliance. There are also, as previously mentioned, dedicated privacy groups and privacy functions at a company, but this may not always be the case.
"A lot organizations haven't invested in a dedicated privacy group or function," said Shey. "So instead there are often IT teams with legal or risk and compliance groups that have more privacy responsibility. It's an extra role on top of security."
That said, security and privacy go hand in hand. Privacy is more the regulatory side of things, while security is the enforcer side of it; security ensures that the measures that are in place are actually supporting the privacy initiatives and policies. Shey points out that while it's good to see that companies are caring more about privacy, they may realize going forward that they should have a dedicated group."
"It shouldn't be an add-on on top of what a security group is already doing," said Shey. "The security group should be involved, but they don't need to be the ones leading privacy efforts."
Sign up for CIO Asia eNewsletters.