We know that organizations with mature privacy programs have internal privacy leadership and data management expertise, conduct privacy assessments for new and ongoing projects, and involve privacy in all facets of the product life cycle. These organizations are also more likely to conduct data inventory and mapping exercises. One-third of the members of the International Association of Privacy Professionals have reached this maturity stage with their programs.
So if a new regulatory regime codifies these practices, we should expect to see many organizations, especially those with privacy professionals on board, already well prepared for compliance.
With the General Data Protection Regulation coming online in the European Union by May 2018 — by its own terms affecting organizations worldwide that collect or process EU citizens’ personal data — we have an opportunity to test how ready privacy professionals are for a contemporary and comprehensive privacy regulation that makes obligatory many of the last decade’s “privacy-on-the-ground” practices.
The IAPP-TRUSTe 2016 study on privacy practices asked 244 privacy professionals about their organizations’ progress toward GDPR compliance, such as whether they have a data protection officer, as well as questions about data hygiene habits like privacy assessments and data inventory and mapping exercises.
As this report demonstrates, organizations expecting to fall under the GDPR’s jurisdiction are already preparing for and in many cases engaging in privacy practices codified in the GDPR. Regardless of geography or size, most organizations – 80 percent – believe they are going to need a DPO. More than 70 percent already regularly conduct privacy assessments, confirming the same finding from the IAPP-EY 2016 Privacy Governance Report. And although data inventory and mapping projects are not as common as privacy assessments, they are on the near horizon for many organizations as their privacy programs mature.
Despite mainstream media reports indicating lack of GDPR awareness, more than 90 percent of organizations with privacy professionals in place have begun preparations and many of them are well on their way toward implementing their GDPR compliance plans.