A new GDPR privacy benchmarking study by IAPP and TRUSTe provides insight into how companies are preparing for the sweeping changes to privacy laws under the EU General Data Protection Regulation (GDPR).
The study profiled companies on overall preparations for the GDPR, along with actions taken on key components including assigning a Data Protection Officer, understanding where and how personal data is used within their organization, and conducting Data Privacy Impact Assessments.
- 9 in10 companies have actively begun to address the regulation, including 43% who have a plan in place and 49% who have started implementing their GDPR compliance plan.
- EU companies are further along the compliance path with 67% reporting their implementation is underway or completed vs. 42% for the US.
- Privacy Assessments and Data Mapping projects are conducted with a mix of technology tools plus manual processes like email and spreadsheets.
The GDPR overhauls the data privacy legal requirements for companies operating in the EU, including companies based outside the EU that have customers or employees located there.
The regulation, put into effect in May 2016, mandates companies comply with a broad range of items by May 2018, including requirements to conduct Data Privacy Impact Assessments (PIAs / DPIAs) for high risk processing, designate a Data Protection Officer (DPO), and demonstrate their privacy program meets all elements of the 200 page regulation.
The regulation includes stiff penalties, which can equal 4% of annual sales.
Data Protection Officers (DPOs)
The Data Protection Officer, who may create the strategy and manage ongoing compliance for a company, appears to be a high priority with 68% of respondents either having a DPO in place (46%), or having plans to appoint an internal resource to the role (22%).
“Clearly, IAPP members are taking the GDPR’s DPO requirement seriously, with many of them well on their way toward creating a GDPR compliance program,” said IAPP President and CEO J. Trevor Hughes, CIPP. “As the research shows, privacy program leaders are resourceful, but increasingly pressed for time and resources. The IAPP’s training and in-depth educational materials, alongside tools developed by technology providers like TRUSTe, will be vital for helping organizations be ready for the GDPR in May of 2018.”
Data inventory and mapping
Data Inventory and Mapping, which helps an organization understand where all of the privacy sensitive information is located in the organization, is often considered one of the first and most important steps to complete in order to understand where to focus resources.
43% of companies report they already conduct data inventory and mapping projects, and another 30% are planning to do so in the next 12 months.
Some of the top challenges include lack of internal resources (58%) and being too busy on other priorities (32%), which is consistent with the research indicating 62% rely on manual tools including email and spreadsheets. Data inventory projects are characterized by a high degree of cross functional collaboration, with 70% reporting they work with IT and 62% with Information Security to complete the projects. 49% also reported the projects are either solely or partially (along with privacy) funded from the IT / Security / Compliance budgets – while 19% reported the projects are solely funded from the privacy budget.
Data Privacy Impact Assessments (DPIAs / PIAs)
71% of organizations are currently conducting Data Privacy Impact Assessments. Some of the top challenges include lack of time (56%) and tools (37%), consistent with data showing 66% rely on spreadsheets and email. Companies are also using technology tools with 59% reporting they use either external software tools or an internally developed system to assist with these projects.
The frequency of assessments varies widely – from as few as 1-2 to as many as 1,000+ per year. The time investment also varies widely, ranging from 25% taking less than one week to 15% taking longer than a month.
TRUSTe CEO Chris Babel states “the clock is ticking and many companies are well on their way to achieving GDPR compliance. This is encouraging since many companies have reported it could take several quarters or more along with investments in additional resources, process changes, and technology tools to achieve compliance. The research suggests many companies are relying on antiquated tools and they will likely either need to ramp up their staff, or begin to embrace technology solutions to improve productivity in order to maintain compliance on an ongoing basis.”