In 2016, privacy professionals across the globe got an assignment: help their organizations prepare for the European Union’s General Data Protection Regulation before it comes into force on May 25, 2018. The 2017 IAPP-EY Privacy Governance Survey shows they are in full preparation mode, having secured extra budget and staff to work toward meeting the GDPR’s requirements and ramping up the operational tasks needed to approximate — if not quite achieve — compliance.
This third annual study of data governance in organizations, surveying modern privacy operations about the present and future of the privacy profession, reflects significant changes in privacy programs globally in response to the GDPR. An astonishing 95 percent of survey respondents, more than 75 percent of whom are located outside of the European Union, say the GDPR applies to their organization.
Many other signs point convincingly toward Europe this year:
- Membership in the IAPP has climbed rapidly to eclipse the 30,000 mark, with nearly 25 percent of the membership located in Europe, where the IAPP is growing most quickly.
- Survey respondents are noticeably more likely than in years past to be from companies with headquarters in the EU – 22 percent, compared to just 15 percent in 2015 and 19 percent in 2016.
- Among EU survey respondents, 75 percent report GDPR compliance is the main reason for their privacy program; the same is true of all organizations with more than 75,000 employees.
- Even when we isolate U.S. firms, 50 percent say GDPR compliance is driving their privacy programs.
- In fact, organizations expect to hire a total of more than two full-time employees just to help with GDPR compliance, and spend a mean of roughly $5 million in adapting products and services and other GDPR compliance activities.
- Those respondents with a CIPP/Europe certification – 22 percent – is double that in 2015.
Operationally, this year’s survey confirms that privacy tasks and responsibilities continue to spread steadily throughout organizational functions and initiatives, responsive to privacy by design principles embedded in the GDPR.
We see increases across the board in the steps organizations are taking to prepare for the GDPR, including major leaps over last year in investments in training (up to 63 percent of respondents compared to 50 percent in 2016), as well as appointment of a data protection officer (48 percent vs 34 percent) or multiple DPOs (up 7 percent over last year).
Perhaps the biggest takeaway from this year’s survey, however, is the role that technology is now playing in privacy management. The second most popular tool for GDPR preparation is investing in technology: 55 percent of respondents plan to make such investments, compared to just 29 percent last year. Among privacy team duties, the use of privacy-enhancing software rose to 31 percent of respondents from 24 percent in 2016.
This has far-reaching implications for privacy professionals. For one, it means that, like the information security industry before it, the privacy technology industry is poised for rapid growth. For another, it means privacy leaders will need to acquire budget and authority for technology acquisition lest they lose control of such purchases to the CIO, CTO or CISO.
Privacy professionals’ approach to privacy is also beginning to reflect the GDPR’s risk-based approach. This year’s survey sees an 11-point increase over 2016 in the percent of respondents working with risk management, and overall there is a shift in focus toward risk and away from pure compliance.
Firms are investing more in privacy staff, with organizations saying they’ve had to add an average of one full-time staffer for GDPR compliance alone. Privacy budgets are notably bigger, too, with mean privacy spending rising from $1 7 million to $2 1 million. All this new spending still isn’t enough, however, according to 67 percent of respondents who claim their budgets are either somewhat less than sufficient or much less than sufficient to get the job done right.
They have a point: Of the firms that believe the GDPR applies to them, nearly 6 of 10 will be only partially compliant by the deadline in May 2018.
Indeed, as seasoned privacy professionals and those just coming online dive into the GDPR, they are finding it more challenging and complex that they initially thought. Nearly every category in our “GDPR Obligation Difficulty” scale rated a higher difficulty score than last year.
Adding to compliance complexity, privacy leaders – who often are asked to wear more than one hat – are now being asked to serve as the DPO, a position mandated by Article 37 of the GDPR. Although 44 percent of respondents report their organization does not yet have that position, 32 percent report the privacy lead is filling the DPO role themselves and away from pure compliance.
The EU has tremendous leverage as an economic powerhouse and its ability to affect how organizations around the globe manage data collection, storage, and use cannot be doubted. Even though the EU’s GDPR has yet to take effect, organizations the world over are spending money on hiring and promoting privacy staff, training employees on privacy, purchasing technology to help with GDPR compliance, and pushing privacy awareness into every corner of the firm. Privacy issues are now board-level concerns – even apart from data breach issues – as organizations are more likely than ever before to see privacy as risk management, and business opportunity.
With so many firms struggling to be GDPR compliant by next May, the privacy profession’s growth trends are likely to continue in the coming year.