This report is a publication by the IAPP and KPMG. The full version of the report, available only to IAPP members, can be accessed here.
Published: June 2023
While the complexity, variety and scale may vary from organization to organization, all organizations that process personal data contend with privacy risk.
Whether it’s uncertainty in the ability to deliver on a privacy compliance program for the next year due to ongoing regulatory change, the challenge of obtaining and subsequently maintaining full compliance with proliferating, and even conflicting, privacy laws around the world, or uncertainty from inability to predict the future — organizations need to find ways to identify, assess, evaluate and treat privacy risk.
In this climate, organizations increasingly have to grapple with a complex privacy risk environment fraught with regulatory and economic uncertainties. It is an environment replete with new and evolving harms through the proliferation of emerging technologies, changing consumer expectations on privacy, and increasing scrutiny on business initiatives and market trends.
To compliment the report, the IAPP published an at-a-glance infographic that presents key data points, which can be accessed here.
"Privacy by design and by default continues to be important beyond compliance, with regulatory requirements offering organizations the opportunity to reduce risk and effectively manage privacy harms impacting individuals in their absence."
In this year’s report, privacy leaders identified geopolitical instability, rapidly maturing and emerging technologies, lack of available talent, and increasing shareholder and regulatory expectations as some of the most significant challenges, revealing concerns about an increasingly fragmented and unpredictable world.
Against this backdrop, we found organizations taking steps to manage enterprise privacy risks considered the following to support the identification, assessment, evaluation and treatment of privacy risk: Roles and responsibilities, methodology, technology, communications and continuous improvement.
- The five highest priority privacy risk domains identified by participants were data breaches, noncompliant third-party data processing, ineffective privacy by design implementation, inappropriate personal data management and insufficient privacy training for employees.
The most common and most emerging privacy risk identified by participants was difficulty maintaining compliance across various regulatory regimes with differing and/or evolving requirements.
Almost 30% of organizations use spreadsheet technology to help manage their privacy risk efforts.
Only 50% of organizations have an established privacy risk appetite.
64% of organizations have a privacy risk management program that is fully integrated into their overall enterprise risk management program.
83% of organizations place some kind of privacy risk information in their annual report.
Almost 93% of organizations indicated privacy is a top-10 organizational risk, and 36% ranked it within the top five.
- Additional top-ranked emerging risks included balancing data localization requirements with EU business needs, unintended consequences due to immaturity in managing the privacy risks that occur through the use of AI and privacy risks resulting from efforts to monetize data.
- Regulation/compliance, data management and governance were the top three most common risk domains identified by participants.