Less than a Year to GDPR Compliance: Trends and Analysis from Real-World Activity
The GDPR is now less than one year away from coming into effect and organisations are eager to know where they stand compared to others. In order to understand the state of organisational readiness, we compiled information based on our global benchmarking research. This week, at the International Conference of Data Protection and Privacy Commissioners in Hong Kong we released our latest study: GDPR Compliance Benchmarking: Measuring Accountability.
The study spans multiple industries, including 46 organisations that completed a GDPR benchmark. These 46 organisations were either entirely located in the EU or were global organisations with EU operations. In either case, only the EU operations were baselined. The largest concentration of industries was in finance and manufacturing. With this research in hand, we are now able to provide some practical knowledge to measure and enhance your organisation’s GDPR compliance efforts.
To gather this information, we leveraged the Nymity Privacy Management Accountability Framework™ and Nymity Benchmarks™ (an automated solution for baselining and benchmarking organisational privacy management). The framework is a comprehensive list of technical and organisational measures, structured into 13 categories and was developed after years of research and on the ground workshops around the globe learning what organisations do to practically implement privacy management.
It has been mapped to hundreds of laws and privacy frameworks, as well as the GDPR, making it an excellent, industry and jurisdiction-neutral tool to gauge GDPR readiness. When we mapped the GDPR to the framework, we identified 39 GDPR articles that create obligations to put in place a technical or organisational measure to demonstrate compliance and those 55 measures were used to gather data from the 46 participating organisations in our research.
The 46 organisations engaged in the research were asked to rank the 55 measures as either:
- Implemented: The activity is already in place, and has sufficient resources to be maintained
- In progress: The decision has already been made, resources allocated, and action may be underway to implementing the activity
- Desired: The activity is applicable or relevant to the privacy program, but is not currently implemented or resourced (planned)
- N/A: Not applicable or relevant to the organisation
For the purposes of this blog, let’s take a look at some of the most pressing data revealed by the study:
The Top 10 Implemented Activities are as follows:
Three of the top ten implemented activities relate to the 9th measure, “Respond to Requests and Complaints from Individuals- Maintain effective procedures for interactions with individuals about their personal data”. The research revealed that:
- 76% of the organisations surveyed maintain procedures to respond to requests and/or provide a mechanism for individuals to update or correct their personal data (Article 16- Right to Rectification)
- 72% maintain procedures to respond to requests for access to personal data (Article 15- Right of Access)
- 65% maintain procedures to respond to requests to opt-out of, restrict, or object to processing (Article 18- Right to Restriction of Processing)
The second most implemented activity is using contracts as a data transfer mechanism, which 78.26% of EU respondents claimed as “implemented”. 73.91% of respondents have implemented privacy training per Article 39, “Tasks of the Data Protection Officer”. This aligns with broader global statistics and reflects privacy officer understanding that privacy training is critical to drive awareness across the organisation.
Finally, two of the top ten implemented activities relate to Article 33, “Maintain a Data Privacy Breach Management Program”. It would be fair to say in our conversations with customers this is an area of concern. The US has more experience dealing with data breach and the outcomes of breach notification and by comparison, we see that as a whole, European companies are not as prepared in this area at this point in time.
The Top 5 “In Progress” Activities are as follows
Of the top 5, three relate to Article 35 “Data protection impact assessments.” The real challenge in this area is typically what organisations do to maintain these activities over time; it’s one thing to identify problems, and another to build in policies and procedures to prevent future problems from arising.
The Top 5 “Desired” Measures are as follows
These are the activities that the organisation knows are required, but don’t currently have the resources or specialised knowledge to carry out. Activities like maintaining procedures for requests for data portability or requests to be forgotten are areas in which many companies are still hoping for clearer regulator guidance.
Looking forward to 2018
Nymity has a number of specialised tools that can help organisations address GDPR compliance, regardless of where they currently sit on the readiness spectrum. Whether your organisation has just begun to address the requirements, or is nearing completion and seeking an infrastructure to assist in sustainable maintenance for the future, Nymity can help.
Interested in learning more about the GDPR and achieving compliance? Nymity is conducting a 13-part webinar series providing a deep dive into specific areas of GDPR compliance. Learn more by clicking here: