IAPP-EY Annual Privacy Governance Report 2016

For privacy and data protection professionals, 2017 may prove to be a watershed year. The leading change agent is the ramp up in preparations for the European Union’s new General Data Protection Regulation, which enters into force in May 2018 to replace the EU Data Protection Directive. A privacy regulation of the GDPR’s scope not only resonates globally, with a massive impact on transatlantic commerce, particularly, but also brings with it a compliance lift that challenges even the largest of firms, and can leave small and medium companies scrambling. Together with the challenges brought by the invalidation of the Safe Harbor framework and entry into force of the new Privacy Shield, all eyes will be on Europe.

In the United States, a landmark privacy overhaul initiated by President Barack Obama calls for appointment of a Senior Agency Official for Privacy (SAOP) at each federal government agency. The package of revisions to the policy that governs federal information resources management (Circular A-130) also requires privacy training across departments and functions, use of privacy impact assessments, application of the Fair Information Practice Principles to personally identifiable information (PII), and SAOP oversight in information technology capital investments and budgets.

Together, the GDPR, Privacy Shield and Circular A-130 elevate the need for and role of privacy professionals as 2016 draws to a close. But that’s only the leading edge of the past year’s privacy developments. From Turkey to Japan, Peru to Brazil, major privacy legislation has been proposed, ushered through, or come into force. Perhaps no area of global public policy has seen as much activity as privacy and data protection.

In response to this activity, this second annual study of data governance in organizations, surveying modern privacy operations, confirms that privacy tasks and responsibilities are spreading steadily throughout organizational functions and initiatives. This spring, like last year, the IAPP and EY surveyed more than 600 privacy professionals, seeking input about the role and title of the privacy professional within organizations, as well as information about privacy budgets, operations, organizational structure, zones of influence, and priorities.

In addition, the survey asked respondents specifically about their strategy to address cross-border data transfers and the GDPR.

The GDPR imposes new obligations regarding data subject consent and the right to be forgotten, establishes data security standards and EU-wide breach notification rules, and requires many organizations to appoint or hire a data protection officer. The IAPP has estimated that at least 28,000 new DPO positions will be created in the coming years in response to the GDPR. Now we have a document of the intended response: Fifty percent of all companies surveyed reported an intention to invest in privacy training as a direct result of the GDPR, 35 percent are increasing their privacy budget, and 34 percent are increasing staffing.

The GDPR maintains the current Data Protection Directive’s strict prohibition on cross-border transfer of personal data without adequate safeguards, although it more explicitly defines how organizations can establish such safeguards. In a jurisdiction – like the U.S. – that is not officially deemed to have “adequate” data protection, organizations importing protected EU data are required to use alternative data transfer mechanisms. These may include standard contractual clauses, binding corporate rules, use of a self-regulatory mechanism such as the Privacy Shield, or a number of explicitly defined derogations such as the data subject’s explicit consent or pursuant to a contract with the data subject.

As this report reveals, however, many companies remain wary of Privacy Shield and are still weighing other transfer compliance options. This is especially true of small companies for whom GDPR compliance presents a formidable challenge. While 50 percent of all companies that transferred personal data between the EU and U.S. in the past used Safe Harbor, just 34 percent say they intend to use Privacy Shield in the future. At the same time, more than 80 percent of companies rely on pre-approved standard contractual clauses, which are currently under legal attack in the Court of Justice of the European Union. Although one-third of all respondents use BCRs, moreover, only 8 percent of companies with fewer than 5,000 employees see this costly data transfer mechanism as viable going forward.

This year’s survey also shows signs of privacy’s maturation not only as a profession but also as an industry. The privacy technology sector – still very young – is beginning to get traction and is showing signs of a promising future. Vendor management is improving, with respondents reporting an 11 percent increase over last year in the thoroughness of their programs and more than two-thirds reporting privacy involvement in vendor selection and contracting.

The political and legal upheaval of 2016 validates privacy professionals’ contributions, and creates not only new privacy jobs but also more opportunities for career advancement. More than half the organizations surveyed expect privacy budgets to grow, while 72 percent report that privacy is now a board-level concern. More than 50 percent of privacy leaders are within two rungs of the CEO position. For the first time, moreover, 50 percent of respondents report that privacy is involved throughout ongoing company operations and more than two-thirds are now regularly using privacy impact assessments (PIAs). And government survey respondents report a likely 30 percent increase in federal privacy positions in the near future.

It’s no wonder, then, that 91 percent of respondents say that privacy “helps open career doors.”

For the full 120-page report, click the image below.

2016-IAPP-EY-gov-report