TrustArc Blog

Benchmarking GDPR Privacy Operations – New IAPP / TrustArc research report reveals how companies are managing compliance (DPIAs)

January 03, 2019

In partnership with the IAPP, TrustArc recently completed a Survey on Privacy Program Metrics, which looked to establish some baseline metrics by which privacy programs around the world can benchmark themselves. The survey contained 27 questions, including demographic questions, and a total of 496 people took the survey.

Some sample questions we set out to answer with the survey were: How many business processes are organizations mapping? How many reports are they creating in order to comply with Article 30 of the EU General Data Protection Regulation? How many privacy or data protection impact assessments are necessary? How many incidents rise to the level of breach reporting? Are people being overwhelmed by subject access requests?

The largest group of respondents works in the U.S. (39 percent), followed by the European Union, excluding the U.K. (32 percent), the U.K. (12 percent), and Canada (8 percent). Respondents were evenly distributed throughout the range of company sizes, with organizations that employ 25,001 people or more representing 25 percent of survey respondents, followed next by organizations that employ 1-250 people (23 percent).

In this 4 part blog post series we are sharing highlights on the following key takeaways from the report:

  1. Data inventory is becoming a standard privacy management practice Published 12/5/2018
  2. DPIAs are the most common type of privacy assessments
  3. Individual rights / data subject access rights (DSAR) requests impacting most organizations
  4. Data breach notification requirements impacting larger companies

Our last post in this series discussed how data inventory is becoming a standard privacy management practice; in this post we will show that DPIAs are the most common type of privacy assessments.

Many privacy regulations – and the GDPR in particular – take a risk-based approach to data protection. And, of course, risk lurks throughout the data processing life cycle.

While privacy impact assessments, often called data protection impact assessments in the EU, have long been integral parts of effective privacy programs, DPIAs are now legally required in some circumstances by the EU GDPR, which has brought focus to the spectrum of impact assessments, from initial impact assessments and targeted assessments against certain frameworks all the way to formal DPIAs delivered to EU data protection authorities.

Thus, we explored with respondents the types of privacy assessments their organizations currently conduct. A list of 11 different types of assessments, from which respondents could select multiple answers, as well as an open-ended “Other” answer choice, were presented.

The results showed that DPIAs were the most common privacy assessment, with 60 percent of respondents reporting that they conduct them. Privacy Impact Assessments (PIAs) were also conducted by about half (48 percent) of respondents.

For those organizations not completing DPIAs, the most common reason was because that organization felt it did not engage in high-risk processing activities.

Solution: TrustArc Assessment Manager

Assessment Manager streamlines the end to end assessment process following the proven TrustArc methodology developed and refined through thousands of engagements. Identify gaps, record risks, manage tasks, maintain comprehensive audit trails, and produce compliance reports to meet GDPR Article 35 DPIA, Vendor Risk, International Data Transfer and other regulatory requirements.

The assessments, including the DPIA assessment, are powered by intelligent content and leverage built in logic and automated risk scoring. Skip logic functionality, as well as configurable compliance expressions, enable systematic identification of noncompliant answers and recommendations on how to remediate potential issues.  

TrustArc also has a large team of expert consultants who can help supplement your resources to create and implement your GDPR program.

If you would like to learn more about Assessment Manager, contact us!

To read the full report, download it here.