New IAPP and TrustArc benchmarking research reveals increased use of technology to manage privacy operations
December 2018 by IAPP and TrustArc
TrustArc and the International Association of Privacy Professionals (IAPP), the world’s largest global information privacy community, have announced the results of new benchmarking research that examined the current state of privacy programme management. The research shows that critical activities such as creating data inventories, conducting data protection impact assessments (DPIA) and managing data subject access rights requests (DSAR) are now well established in large and small organisations in both Europe and the United States.
To understand the different types of privacy and security operations, who is running them and where, TrustArc and the IAPP surveyed close to 500 privacy professionals in the U.S., EU, UK and Canada.
Key findings from the survey include:
Data inventory is becoming a standard privacy management practice
● 83% have created a data inventory of their business processing activities, which is a significant increase from the 43% of respondents who reported engaging in routine inventory and mapping exercises two years ago.
● 20% are using specialised data inventory and mapping software, up from 10% two years ago
Individual rights / data subject access rights (DSAR) requests impacting most organisations
● 72% report receiving one or more DSAR requests since GDPR went into effect May 25, 2018.
● 47% receive 1-10 requests / month; 16% 11-99 requests / month; 9% 100 or more requests / month.
● 30% have partially automated DSAR management; 3% have fully automated and 57% are using a manual process.
DPIAs are the most common type of privacy assessments
● 75% of respondents subject to the GDPR report they have completed one or more Data Protection Impact Assessments (DPIAs).
● 46% use technology tools for DPIA management, including 20% who use a specialised software solution; 47% use a manual process, down from 66% two years ago.
● DPIAs, Privacy Impact Assesments (PIAs), and Vendor / Third Party Risk are the most popular type of privacy assessments, and are used significantly more often than popular security assessments such as ISO 27001 and NIST.
Data breach notification requirements impacting larger companies
● 27% of respondents from large organisations report filing one or more breach notifications vs 16% from small organisations.
“Among our thousands of members, we know that privacy teams are now reporting on a regular basis to company leadership, and consequently they need to demonstrate results and a return on investment,” said Trevor Hughes, CEO and President of the IAPP. “With this new study, we are helping to identify and develop the metrics that our members require.”
“GDPR, CCPA and other global privacy regulations have forced organisations to account for how they manage data,” said Chris Babel, CEO of TrustArc. “The results of this global survey reinforce the growing role of privacy management solutions in addressing these issues and the importance organisations are placing on demonstrating compliance to regulators and consumers.”