Only 9% of Privacy Pros Report Full Compliance with GDPR, Research Finds
The 2019 IAPP-EY Privacy Governance Report reveals privacy pros still struggle to keep up with regulation
PORTSMOUTH, NH – Sept. 24, 2019 – According to new research released by the International Association of Privacy Professionals (IAPP) at this year’s Privacy. Security. Risk. conference, only 9% of privacy professionals in the U.S. and EU report their firms as fully compliant with the EU’s General Data Protection Regulation (GDPR) more than a year after its implementation. The research, revealed in the fifth annual IAPP-EY Privacy Governance Report, shows that even among privacy experts, compliance with the GDPR is proving difficult.
Of the 370 privacy professionals surveyed in the EU and U.S., more than 50% of those responsible for compliance with GDPR report their firms are at best moderately compliant and at worst not compliant at all. 36% called themselves very compliant.
In actuality, GDPR compliance was a struggle across the board, but of lesser concern to those in the U.S., as only 11% listed it as a top priority, compared to 58% in the EU. On the other hand, 80% of U.S.-based businesses listed the California Consumer Privacy Act (CCPA) as a key responsibility of their role, while only 17% of respondents did in the EU.
Among respondents whose organizations must comply with the GDPR, 38% have reported a breach this year – including a staggering 52% of companies based in the EU. This reflects more than double the number of companies reporting a breach in 2018. 22% of respondents reported more than ten breaches this past year. The increases can be tied to increased regulation, but enforcement is still lagging with just 2% reporting having been fined.
“It’s a monumental task to comply with the GDPR, and the stakes are high,” said Trevor Hughes, President and CEO, IAPP. “So far this year, we’ve seen privacy regulators flexing their muscles, ruling on the largest privacy and data protection fines in history. This message resonated loud and clear in corporate boardrooms, making the need to educate and train professionals with the knowledge and skills to make ethical decisions about how data is handled more important than ever.”
It is clear that the GDPR was a massive driver of growth for the privacy profession in 2018. Nearly 3 out of 4 organizations subject to the regulation have appointed a Data Protection Officer (DPO), whether obligated to by law or not. Among organizations that do have a DPO, 25% have appointed more than one.
By the one-year anniversary of GDPR, the IAPP estimated around 500,000 organizations have already registered DPOs with data protection authorities in the EU. This staggering number far exceeded pre-GDPR estimates and demonstrates the enormous economic impact of the GDPR, as well as the explosive growth in privacy and data protection as a valued professional role.
Due to the continued growth of the industry, this year’s report included the first ever happiness indicator, finding that 33% of privacy professionals assigned the highest satisfaction score to their jobs, with another 49% selecting the next highest score of “satisfied.” Only 8% reported dissatisfaction.
Another notable event with potential impact on the industry is Brexit. More than half of respondents, including 68% of those based in the EU, expect to feel the impact of Brexit. Twelve percent of respondents with their main establishment in the UK report that their companies plan to move corporate headquarters post Brexit to Ireland, with another 18% planning to move to another EU location.
The full report, revealed at the IAPP’s Privacy. Security. Risk. 2019 in Las Vegas, can be found here. To learn more about the International Association of Privacy Professionals, please visit www.iapp.org.
About the IAPP
The International Association of Privacy Professionals is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, promote and improve the privacy profession globally. More information about the IAPP is available at iapp.org.
Media Contact
Sarah Sturba
Matter Communications
401.432.6503
iapp@matternow.com