The annual Global Privacy Enforcement Network (GPEN) “sweep” is a joint study carried out across the world by data protection regulators (including the UK’s ICO). This year the study looked at how organisations have taken responsibility for complying with data protection laws, particularly the core concepts of accountability (which of course was key GDPR change).
The findings (based on 356 organisations across 18 countries (although not all questions were answered by all respondents)) indicated that whilst there was examples of good practice, there was an indication that some organisations had no processes in place particularly in terms of dealing with data subject rights and data breach issues.
The study looked at a number of indicators. The report provides more detail, but generally speaking the key issues identified were:
- 14% of organisations had poor internal data protection and privacy practices
- 6% of organisations either didn’t say or didn’t have anyone taking responsibility in-house for data compliance
- 6% of organisations had not delivered any staff training around data and privacy compliance
- Of those organisations that did provide training only 50% provided regular refresher training or new starter training
- Only a third of organisations conducted any form of regular review or audit
- Only 55% of organisations said they had appropriate privacy policies in place (6% had nothing; 31% had something but was probably not easily accessible or may even be out of date)
- 13% have no formal incident response procedure in place
- 88% of organisations maintained some form of record of data security incidents
- Just under half of respondents had processes in place to deal with data subject queries or complaints
- Less than half had documented processes in place to assess privacy and data risks (e.g. DPIA); with 19% indicating no understanding of assessing data risks
- 9% of organisations had no understanding of data being used around their organisation with some not even understanding the concept of what personal data is
It should be noted though that this was a global project and will include non-EU countries, so the results don’t necessarily indicate GDPR compliance per-se, but do provide an insight into a mixed bag of compliance across multiple industry sectors. For the UK, the ICO have indicated:
- Only 67% of organisations who provided a response said that they conduct regular self-assessments or audits of internal data protection standards and practices, and only 67% indicated that they maintain inventories of personal data held.
- It was positive to note that 100% of organisations in the UK who provided a response indicated that they felt they had someone within the organisation at a sufficiently senior level responsible for privacy governance and management.
Commenting on the findings an ICO representative commented:
“The findings suggest that whilst organisations contacted by the ICO and our international partners have a good understanding of the basic concept of accountability, in practice there is significant room for improvement.
“It is important that organisations have appropriate technical and organisational measures in place. This includes having clear data protection policies, taking a ‘data protection by design and default’ approach and continuing to review and monitor performance and adherence to data protection rules and regulations.”
When it comes to GDPR compliance of course the “accountability” principle is a key change for compliance. It’s the data protection principle which requires you to demonstrate you are compliant and appears in various guises across the regulations from recording you have the right kind of consent (as the lawful basis for processing) to being able to demonstrate you keep up to date records of your data processing activities and regularly audit your compliance.
With the GDPR-anniversary fast approaching (yes it will be a year come the end of May since GDPR came into play!) it’s as important as ever that everyone takes stock of their continuing compliance and that will mean review policies, data flows, third-party processor due diligence and employee training for starters.