Privacy sweep shows big compliance gaps

By Dylan Bushell-Embling
Tuesday, 05 March, 2019

A global sweep of data protection procedures and capabilities of organisations in 18 countries found that only half are compliant with legal requirements around maintaining data privacy policies.

In addition, only 52% of organisations indicated that they have a documented incident response procedure, while only 58% have clear measures in place to both deal with data breaches and other incidents as they arise and notify individuals and regulators.

The sweep was led by New Zealand's Office of the Privacy Commissioner and the UK's Information Commissioner's Office, and drew the participation of 16 other data protection authorities that have allied with these offices as part of the Global Privacy Enforcement Network.

It found that while less than 10% of organisations have no privacy policies governing how they handle personal data at all, only around 50% of organisations both maintain an internal data privacy consistent with legal requirements and would be able to demonstrate that the policy has been embedded into everyday practices.

Furthermore, over 20% of organisations have no programs in place to conduct self-assessments or internal audits of their data protection standards, and 14% were deemed to have poor internal privacy practices.

The survey also identified significant gaps in terms of transparency, with only 55% of organisations maintaining a clear privacy policy which is easily assessable to customers and the general public.

Meanwhile, only half of organisations conduct regular data protection training to all staff.

But the report (PDF) also identified signs of improvement, with 33% of respondents indicating that they are in the process of implementing a data privacy framework or had partially implemented internal policies.

In addition, 67% of respondents reported appointing a dedicated data privacy officer or a senior-level member of staff responsible for overall privacy governance, and only 6% either reported that they have nobody responsible for data protection or failed to specify.

Image credit: ©.shock/Dollar Photo Club

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.