TrustArc Blog

Benchmarking GDPR Privacy Operations – New IAPP / TrustArc research report reveals how companies are managing compliance

December 05, 2018

In partnership with the IAPP, TrustArc recently completed a Survey on Privacy Program Metrics, which looked to establish some baseline metrics by which privacy programs around the world can benchmark themselves. The survey contained 27 questions, including demographic questions, and a total of 496 people took the survey.

Some sample questions we set out to answer with the survey were: How many business processes are organizations mapping? How many reports are they creating in order to comply with Article 30 of the EU’s General Data Protection Regulation? How many privacy or data protection impact assessments are necessary? How many incidents rise to the level of breach reporting? Are people being overwhelmed by subject access requests?

The largest group of respondents works in the U.S. (39 percent), followed by the European Union, excluding the U.K. (32 percent), the U.K. (12 percent), and Canada (8 percent). Respondents were evenly distributed throughout the range of company sizes, with organizations that employ 25,001 people or more representing 25 percent of survey respondents, followed next by organizations that employ 1-250 people (23 percent).

In this 4 part blog post series we will share highlights on the following key takeaways from the report:

  1. Data inventory is becoming a standard privacy management practice
  2. DPIAs are the most common type of privacy assessments
  3. Individual rights / data subject access rights (DSAR) requests impacting most organizations
  4. Data breach notification requirements impacting larger companies

Key Takeaway #1: Data inventories are becoming a standard privacy management practice crucial to privacy compliance

One of the most important steps to design and build a data privacy program is to create an inventory of all of the business processes within a company. If a company does not know the type of data they collect and how it’s shared, processed and stored; or the data inflows and outflows, it is difficult t o know if they meet the requirements of the privacy frameworks that impact their business. It is also difficult to know where data resides in order to be able to efficiently respond to data subject access requests.

As privacy regulations become broader in scope, requiring companies to demonstrate how they reduce and manage risk, the importance of building and maintaining a data inventory is increasing. The EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two examples of regulations which rely heavily on a comprehensive data inventory to support risk management, compliance reporting and responding to individual rights and data subject access rights requests.

Our survey results showed that 83% of respondents have created a data inventory of their business processing activities, which is a significant increase from the 43% of respondents who reported engaging in routine inventory and mapping exercises two years ago. We also found that 20% of respondents are using specialized data inventory and mapping software, which is up from 10% two years ago.

TrustArc Data Flow Manager

Data Flow Manager, part of the TrustArc Privacy Platform, is a dedicated privacy data mapping system which can help build and manage a data inventory, data flow maps, and compliance reporting such as GDPR Article 30.

Data Flow Manager is based on the business process approach which TrustArc recommends based on extensive experience developing and building GDPR and CCPA compliance programs for companies of all sizes around the world.

Data Flow Manager provides a three-step wizard driven workflow which guides users through the process of entering all of the information required to build a business process record. There is also an option to bulk upload information from an existing data inventory.

Data Flow Manager also offers the TrustArc Intelligence Engine which automatically analyzes a company’s privacy risk based on GDPR high-risk principles. The automation can save up to 75% of the time it would take to analyze the risk manually and is integrated with TrustArc Assessment Manager which provides automation for managing DPIAs, PIAs, and other privacy risk assessments.

Data Flow Manager also provides a streamlined way to generate visual representations of data throughout the lifecycle.

If you would like to learn more about Data Flow Manager, contact us!

To read the full report, download it here.