Critical privacy program activities such as creating data inventories, conducting data protection impact assessments (DPIA), and managing data subject access rights requests (DSAR) are now well established in large and small organizations in both Europe and the United States, according to TrustArc and the International Association of Privacy Professionals (IAPP).
“Among our thousands of members, we know that privacy teams are now reporting on a regular basis to company leadership, and consequently they need to demonstrate results and a return on investment,” said Trevor Hughes, CEO and President of the IAPP. “With this new study, we are helping to identify and develop the metrics that our members require.”
As privacy-related incidents continue to rise, and the number of international and domestic privacy regulations increase, privacy programs need to become more sophisticated and mature. These programs require increased investments in technology and resources for a more proactive and automated approach to privacy management. As privacy teams become more operational, there is a need for metrics that can be benchmarked against time, industry and company size.
“GDPR, CCPA and other global privacy regulations have forced organizations to account for how they manage data,” said Chris Babel, CEO of TrustArc. “The results of this global survey reinforce the growing role of privacy management solutions in addressing these issues and the importance organizations are placing on demonstrating compliance to regulators and consumers.”
To understand the different types of privacy and security operations, who is running them and where, TrustArc and the IAPP surveyed close to 500 privacy professionals in the U.S., EU, UK and Canada.
Data inventory is becoming a standard privacy management practice
- 83% have created a data inventory of their business processing activities, which is a significant increase from the 43% of respondents who reported engaging in routine inventory and mapping exercises two years ago.
- 20% are using specialized data inventory and mapping software, up from 10% two years ago.
DPIAs are the most common type of privacy assessments
- 75% of respondents subject to the GDPR report they have completed one or more Data Protection Impact Assessments (DPIA).
- 46% use technology tools for DPIA management, including 20% who use a specialized software solution; 47% use a manual process, down from 66% two years ago.
- DPIAs, Privacy Impact Assessments (PIAs), and Vendor / Third Party Risk are the most popular type of privacy assessments, and are used significantly more often than popular security assessments such as ISO 27001 and NIST.
Individual rights / data subject access rights (DSAR) requests impacting most organizations
- 72% report receiving one or more DSAR requests since GDPR went into effect May 25, 2018.
- 47% receive 1-10 requests / month; 16% 11-99 requests / month; 9% 100 or more requests / month.
- 30% have partially automated DSAR management; 3% have fully automated and 57% are using a manual process.
Data breach notification requirements impacting larger companies
- 27% of respondents from large organizations report filing one or more breach notifications vs 16% from small organizations.