IAPP-EY Annual Governance Report 2019

Now in its fifth year, the IAPP-EY Privacy Governance Report has evolved over time, along with the privacy profession itself.

This year, almost as many of the 370 respondents to the survey hailed from the European Union as from the United States. This reflects the growth of the privacy and data protection profession in the EU in reaction to the GDPR. The GDPR has driven growth in privacy-pro ranks in the U.S., as well.

And yet, have we seen a leveling-off of business investment in privacy post-2018? Budgets and staffing are flat this year, even though GDPR compliance has not yet been widely achieved.

One GDPR responsibility most have met, in response to Article 37, is to appoint a data protection officer — nearly three out of four organizations subject to the regulation have appointed a DPO, whether obligated by the law or not. Indeed, one-third of all survey respondents hold the DPO title. Among those DPOs from the EU, most (69%) hold the top privacy role for their firm. They often have direct reporting lines to the board of directors, as well.

High on the list of privacy concerns for the board — following data breach — is legal and regulatory compliance, especially with the GDPR. The regulation has had such a massive impact on data management practices globally that it has become, in many respects, the de facto global standard for privacy. Compliance with privacy laws and regulations tops privacy professionals’ priority list — 41% of respondents name it as their highest priority. GDPR compliance is far and away the top priority for those in the EU (58% chose it), whereas only 11% of U.S. respondents selected it as number one. On the flip side, 46% of U.S. respondents named “compliance (beyond the GDPR)” as their highest priority, with only 30% of EU respondents selecting it.

With all this attention to compliance, fewer than half of all respondents report being “very” or “fully” compliant with the GDPR. Among EU respondents alone, 43% report they are only “moderately compliant” with the GDPR, even when GDPR compliance is their primary responsibility. One in 10 admit they are only “somewhat” compliant with the GDPR.

Privacy pros in the U.S. are less likely than their EU counterparts to be DPOs and more likely to have multiple privacy responsibilities beyond GDPR compliance. They report working on vendor management and even “ethical decision making” more often than those in the EU.

Other major takeaways from this year’s report:

  • Among respondents whose organizations must comply with the GDPR, 38% have reported a breach this year (compared to just 16% in 2018), and 22% have reported more than 10.
  • Nearly all respondents (90%) report their firms rely on third parties for data processing, and the top method for ensuring vendors have appropriate data protection safeguards is “relying on assurances in the contract” (named by 94% of respondents). More than half (57%) use questionnaires, while only one in four conduct on-site audits.
  • The most popular method, by far, for data transfers outside the EU is use of standard contractual clauses (88% of respondents), followed by compliance with the EU-U.S. Privacy Shield arrangement (60%).
  • For those respondents transferring data from the EU to the U.K. (52%), 91% report they intend to use SCCs for data-transfer compliance after Brexit.
  • More than half of respondents (56%) named “locating unstructured personal data” as the most difficult issue in responding to data subject access requests (including access, deletion, and rectification requests), far ahead of “monitoring data protection/privacy practices of third parties” (36%), data minimization (28%), or developing a centralized opt-out tool (25%).
  • Manual methods are still common for activities like data inventory and mapping and responding to subject access requests, with spending on privacy technology significantly higher among U.S. respondents than those from the EU.

All in all, we find privacy professionals happy in their jobs. In our first-ever “happiness indicator,” 33% of privacy professionals assigned the highest satisfaction score to their jobs (“very satisfied”), with another 49% selecting the next highest score (“satisfied”). Only 8% said they were either unsatisfied or very unsatisfied.

Nearly half of all respondents (45%) expect privacy to bring them new opportunities, while another 38% are at the peak of their careers.