Privacy & Information Security Law Blog

On March 5, 2019, the Global Privacy Enforcement Network (“GPEN”), a global network of more than 60 data protection authorities (“DPAs”) around the world, published the results of its 2018 intelligence gathering operation on organizations’ data privacy accountability practices (the “Sweep”). On the same date, some participating DPAs released the results of the Sweep exercise carried out in their respective jurisdiction.

The Sweep was jointly coordinated by the New Zealand Office of the Privacy Commissioner (“OPC”) and the UK Information Commissioner’s Office (“ICO”). It was carried out by 18 DPAs around the world to assess how well organizations have implemented the concept of accountability into their own internal privacy policies and programs. This is a concept explicitly required by the EU General Data Protection Regulation (“GDPR”) and other national data protection laws (such as those of Canada, Mexico, Columbia, Australia, Brazil and Singapore ), and has become a core element of data protection regulators’ and industry guidance in general.

The participating DPAs contacted 667 organizations with a set of pre-determined questions that focused on the following key elements: (1) the importance of policies and procedures and internal governance; (2) privacy training and awareness; (3) transparency about data practices; (4) the assessment and mitigation of privacy risks; (5) verification and monitoring; and (6) complaints handling and incident management.

While many participating DPAs contacted organizations in a particular sector(s) of relevance to them, some participating DPAs contacted organizations across a range of sectors, such as the ICO, the Irish Data Protection Commission and the Hong Kong Office of the Privacy Commissioner for Personal Data. In France, the French DPA (“CNIL”) decided to audit data processors to determine how they comply with their new obligations arising from the application of the GDPR.

Of the 667 organizations contacted as part of the Sweep, 356 organizations responded. The participating DPAs noted the following trends at international level:

• Policies and Procedures: Approximately half of the organizations indicated that they maintain an internal privacy policy in line with legal requirements and would be able to demonstrate that their day-to-day practices are performed according to this policy.
• Governance: Nearly three quarters of organizations across all sectors and jurisdictions had appointed a dedicated individual or team responsible for ensuring that their organization complied with relevant data protection rules and regulations.
• Training & Awareness: Organizations were generally found to be quite good at delivering some form of data protection training to their employees. A few organizations gave examples of good practice, noting that online training systems had been implemented, and network access would be revoked if training was not completed before a specified deadline. However, it was found that organizations often failed to provide regular refresher training, or only provided training to some employees.
• Monitoring: When it comes to monitoring internal performance in relation to data protection standards, many organizations were found to fall short, with around a quarter who responded having no programs in place to conduct self-assessments and/or internal audits. The organizations that indicated that they have monitoring programs in place generally gave examples of good practice, noting that they conduct annual audits or reviews and/or regular self-assessments.
• Transparency: A large majority of organizations indicated that they actively maintain privacy policies, which explain how they handle personal data, and which are often easily accessible to the public. Less than 10% of organizations responded having no policies at all.
• Responsiveness & Incident Management: Over half of the organizations surveyed indicated that they have documented incident response procedures, and that they maintain up to date records of all data security incidents and breaches. However, a number of organizations indicated that they have no processes in place to respond appropriately in the event of a data security incident. It also was found that a number of organizations had no processes in place to deal with the complaints and queries raised by data subjects.

Overall, participating DPAs found that some organizations have a good understanding of how to implement and demonstrate accountability, and many are building some of the elements of accountability. There is however a need for better implementation in the key areas of accountability.

As a result of the Sweep, individual DPAs may contact organizations in their own countries to assess what remedial action they need to take to improve user controls over their personal information. In addition, this Sweep demonstrates how important it is for all organizations to build and implement a comprehensive, consistent and sustainable data privacy management program that embeds privacy requirements into the fabric of organizations. Organizations will increasingly be expected to be able to demonstrate existence of such programs both to their internal stakeholders, boards and management and to data privacy regulators around the world.

To learn more about the trends observed at international level, please see the full international report. To learn more about the national results of the Sweep carried out in France, Ireland, the UK and in Hong-Kong, please see the CNIL’s press release, the DPC’s Sweep Results Reporting Form, the ICO’s blog, and the PCPD’s 2018 Study Report on Implementation of Privacy Management Program by Data Users respectively.