IAPP-EY Annual Governance Report 2018

Last year, the 2017 "Privacy Governance Report" welcomed the arrival of the EU General Data Protection Regulation, both the compliance efforts and the corresponding angst over how to accomplish a list of daunting, if not impossible, tasks. One year later, we see in the 2018 survey that organizations have bulked up their privacy teams, tackled the hard work of implementing GDPR programs, spent a lot of money to get there (an average of $1.3 million, with an additional $1.8 million expected), and learned many lessons along the way.

Indeed, there is still a long way to go: Fewer than 50% of survey respondents report they are “fully compliant” with the GDPR, and nearly one in five admits that full GDPR compliance is truly impossible. But there is good news: The GDPR looks a lot less complicated and confusing in practice than it initially did on paper. While privacy professionals are still struggling with certain tasks, difficulty scores have dropped considerably for every individual compliance process.

Like last year, of course, with the GDPR dominating the privacy narrative, we see considerable growth in the number of privacy professionals working for European organizations and responding to the survey. Membership in the IAPP has eclipsed 44,000 members — 14,000 more (47% growth) than last year at this time. Nearly 13,000 of the membership are domiciled in Europe. Commensurately, in this year’s survey, 37% of respondents are from the European Union (including, for now, the United Kingdom), up from 22% in 2017 and 19% in 2016.

Those who have been following the governance report since its first year in 2015 will see shifts in the data corresponding to this shift in respondent demographics.

Further, the GDPR launches into the regulated arena many firms that were previously not regulated for data protection and privacy issues. It is, as privacy professionals now know, just the tip of a growing iceberg of global privacy regulations. Accordingly, we are seeing significant growth in the number of full-time staff dedicated to privacy, with the global mean now at 10 full-time privacy staff.

One key finding is that privacy is increasingly a stand-alone issue of corporate significance, not tied as integrally to data breach as in previous years. Here are some other key results:

  • 76% of all respondents believe their firm falls under the scope of the GDPR.
  • Acquiring and maintaining business relationships is a key driver of GDPR compliance; B2B-focused businesses are far more likely than B2C and even than blended firms to have full-time privacy professionals working in their privacy programs.
  • 25% of respondents have changed vendors in response to GDPR, and 30% says they are considering future vendor changes.
  • The most popular cross-border data transfer mechanism — by far — is Standard Contractual Clauses.
  • More than half the respondents subject to GDPR (56%) say they are far from compliance or will never comply.

One of other important stories coming out of this year’s report is a portrait of the role of the data protection officer. This position has exploded on to the scene, with 75% of respondent firms reporting they have appointed a DPO. Among those that haven’t, most believe the GDPR simply doesn’t apply to them.

Firms are split almost evenly as to their motivations for having a DPO. Slightly over half are just following the law, but 48% has created the position to serve a valuable business function. Almost six in ten privacy leaders, those who oversee privacy decision-making at their organizations, have taken the DPO duties on themselves, and, where they haven’t, the DPO more likely than not (65& of the time) reports to the privacy lead.

Given the above, it is perhaps not surprising that privacy professionals are enjoying more influence earlier and more often in the development and maintenance of products and services, as privacy by design takes hold as an organizational philosophy. They are developing and deploying firm-wide privacy training as a top priority and seeing their issues front and center with the board of directors.

In short, along with the GDPR, data protection officers have arrived.