Growing complexity is driving operational changes to privacy programs

A majority of companies are adopting a single global data protection strategy to manage evolving privacy programs, and that managing the expanding ecosystem of third parties handling data has become a top priority, a TrustArc report reveals.

Evolving ecosystem of partners, customers, and vendors driving risk assessment processes

Vendor and third-party risk assessments ranked first among privacy assessments globally, with 78 percent of U.S. respondents reporting that they now conduct them. That figure indicates the growing complexity of the ecosystem now impacting compliant data privacy management.

To understand the different types of privacy programs across regions, company size and industry, TrustArc and the IAPP surveyed close to 350 privacy professionals in the U.S., EU, UK and Canada.

U.S. companies comply with more laws than EU counterparts

• 79% of respondents report complying with two or more privacy laws, while only 16% are focused on just one.
• 10% report actively working to comply with 50 privacy laws or more at once, while 13% are working on 6-10 laws, and another 13% on 11-49 laws.
• EU respondents were more likely to report actively working to comply with five or fewer privacy laws, while U.S. respondents were more likely than their EU counterparts to be complying with 11 or more laws.
• Significantly more EU+UK respondents (81%) conduct Data Protection Impact Assessments as compared to U.S. respondents (53%).

Majority pursuing a single, global data protection strategy

• 56% of respondents across all geographies are working toward a single, global data protection and privacy strategy for data subjects’ rights.
• Only 28% of U.S. companies and 21% of EU+UK companies categorize data subjects by jurisdiction and geography and handle each data subject’s data according to the laws that apply to that individual.
• A majority of EU+UK respondents report serving customers in only one region (22%) compared to U.S. respondents (11%).

Privacy programs and operational changes

• 47% updated their website’s cookie policy and 80% updated their website’s privacy policy one or more times in the last 12 months.
• 42% deleted personal data more regularly; more so among EU+UK respondents (56%) than U.S. (44%).
• 21% converted from an opt-out to an opt-in email marketing strategy across geographies; vastly more so in the EU+UK (30%) compared to US respondents (13%).