Published: December 2018
In this newest piece of an ongoing series of research that has looked at privacy operations and the use of privacy technology, the IAPP and TrustArc here examine the factors, including geographic region, organizational size, and sector, that are correlated with the current state and development of organizations’ response to various operational demands upon their privacy programs. We focused on certain core operational responsibilities required for compliance with most privacy regulations and the European Union’s General Data Protection Regulation in particular.
At the minimum, we establish a baseline of raw metrics, by which organizations can measure themselves, for how many of these kinds of activities privacy programs around the world are engaging in as part of their overall program efforts.
Our research shows that foundational privacy program activities like data inventory and mapping are well established and common throughout the globe, in both the European Union and the United States, and among large and small organizations across sectors. These practices are managed largely with internal tools, and less often with commercially available software.
The GDPR, which applies to roughly 80 percent of our nearly 500 survey participants, encourages a risk-based approach to privacy, and specifically requires organizations to conduct risk assessments including “data protection impact assessments,” or DPIAs, for high-risk processing activities. Our survey found that more respondents conduct DPIAs than any other form of risk assessment, including vendor vetting and even privacy impact assessments (PIA), an older cousin to the DPIA.
Among survey respondents subject to the GDPR, we found that many organizations have not yet been forced to engage with some of its major obligations. A majority of respondents have created fewer than five (or even zero) DPIAs since the GDPR took effect. Around one-quarter of respondents have prepared between one and five Article 30 records of processing reports, while another 15 percent have prepared none, and a full 19 percent simply don’t know.
Data subject access requests have not yet come pouring in (generally speaking) either. Most respondents field fewer than 10 data subject access requests per month, and 22 percent have yet to receive any. Meanwhile, 30 percent of respondents have notified a supervisory authority of at least one data breach, which is in line with prior research that around four in 10 organizations report having experienced privacy incidents in a previous two-year period. The firms most likely to report data breaches are in the banking, insurance and telecommunications sector; software and services industries (the typical data processor roles) report the least often.
We’ve even created a fun new ratio: The median organization receives seven DSARs per million data subjects per month.
In terms of tools used to conduct their jobs, most respondents continue to use informal internal means for data inventory and mapping, DPIAs, and other privacy operations. For mapping and inventory, just 10 percent use commercial software tools developed specifically for the task but this number grows to 20 percent for DPIAs and for records of processing. We also find that, while there is some overlap, organizations are generally investing in tools for specific tasks, rather than buying or adapting one piece of software to handle the whole suite of privacy program management tasks we investigated with this research.
These results showing an uptick in number of operational tasks completed by organizations that have used outside consultants and counsel, and have invested in privacy technology, also create a bit of chicken-and-egg conundrum: Do organizations using privacy technology and outside firms create more DPIAs, for example, because the technology helps them be more efficient, or are organizations that create more DPIAs more likely to invest in privacy technology because there’s more clearly a potential return on investment?