A new benchmarking study by IAPP & TRUSTe is available: Preparing for the GDPR: DPOs, PIAs, and Data Mapping. Contrary to many mainstream media reports that indicate a lack of GDPR awareness, more than 90% of organizations have begun preparing for GDPR compliance.
- Over 90% of survey respondents have at least begun preparations for GDPR compliance.
- EU companies are further along the compliance path with 67% reporting their implementation is underway or completed vs. 42% for the US.
- 43% of companies report they already conduct data inventory and mapping projects, and another 30% are planning to do so in the next 12 months.
- 71% of organizations are currently conducting Data Privacy Impact Assessments.
Over 73% of respondents have customers or employees in the EU, and 68% stated that their organization must meet GDPR requirements. This result shows how the GDPR has a broad reach and encompasses companies of all sizes and locations. Most companies, over 90%, have begun to prepare which demonstrates that privacy professionals are taking these new requirements seriously.
Roughly 80% of survey respondents interpreted the GDPR as requiring their organization to appoint a DPO (additional guidance on this requirement is expected to arrive in December). Although conducting privacy assessments is also a requirement under GDPR, many organizations already conduct them as part of their privacy program. The importance of conducting these assessments is illustrated by the fact that 78% of organizations that report the GDPR will not even apply to them still conduct privacy assessments. The following bar chart shows motivations for conducting privacy assessments:
Image by IAPP & TRUSTe
To complete these assessments, companies are using a mixture of technology plus manual processes. Fewer organizations engage in routine data inventory and mapping for privacy management purposes, and their reasons are shown in the chart below.
Image by IAPP & TRUSTe
The study included a broad cross section of organizations in the US, EU, Canada, and other jurisdictions such as Asia and the Middle East. Companies of all sizes are represented, ranging from below 1,000 employees to more than 25,000 employees. Industries ranged from software and services to government offices and health care.
Companies gave feedback on overall preparations for the GDPR, along with actions taken on key components including assigning a Data Protection Officer, understanding where and how personal data is used within their organization, and conducting Data Privacy Impact Assessments.
Download full Study here.
Organizations of all sizes and geographic locations are preparing to meet GDPR requirements. Chances are your organization also has to meet these requirements, so preparations should have started already. TRUSTe has a range of solutions to help you plan and comply with the GDPR: LEARN MORE.