On March 5, 2019, the Global Privacy Enforcement Network (“GPEN”), a global network of more than 60 data protection authorities (“DPAs”) around the world, published the results of its 2018 intelligence gathering operation on organizations’ data privacy accountability practices (the “Sweep”). On the same date, some participating DPAs released the results of the Sweep exercise carried out in their respective jurisdiction.
The Sweep was jointly coordinated by the New Zealand Office of the Privacy Commissioner (“OPC”) and the UK Information Commissioner’s Office (“ICO”). It was carried out by 18 DPAs around the world to assess how well organizations have implemented the concept of accountability into their own internal privacy policies and programs. This is a concept explicitly required by the EU General Data Protection Regulation (“GDPR”) and other national data protection laws (such as those of Canada, Mexico, Columbia, Australia, Brazil and Singapore ), and has become a core element of data protection regulators’ and industry guidance in general.
The participating DPAs contacted 667 organizations with a set of pre-determined questions that focused on the following key elements: (1) the importance of policies and procedures and internal governance; (2) privacy training and awareness; (3) transparency about data practices; (4) the assessment and mitigation of privacy risks; (5) verification and monitoring; and (6) complaints handling and incident management.
While many participating DPAs contacted organizations in a particular sector(s) of relevance to them, some participating DPAs contacted organizations across a range of sectors, such as the ICO, the Irish Data Protection Commission and the Hong Kong Office of the Privacy Commissioner for Personal Data. In France, the French DPA (“CNIL”) decided to audit data processors to determine how they comply with their new obligations arising from the application of the GDPR.
Of the 667 organizations contacted as part of the Sweep, 356 organizations responded. The participating DPAs noted the following trends at international level:
- Policies and Procedures: Approximately half of the organizations indicated that they maintain an internal privacy policy in line with legal requirements and would be able to demonstrate that their day-to-day practices are performed according to this policy.
- Governance: Nearly three quarters of organizations across all sectors and jurisdictions had appointed a dedicated individual or team responsible for ensuring that their organization complied with relevant data protection rules and regulations.
- Training & Awareness: Organizations were generally found to be quite good at delivering some form of data protection training to their employees. A few organizations gave examples of good practice, noting that online training systems had been implemented, and network access would be revoked if training was not completed before a specified deadline. However, it was found that organizations often failed to provide regular refresher training, or only provided training to some employees.
- Monitoring: When it comes to monitoring internal performance in relation to data protection standards, many organizations were found to fall short, with around a quarter who responded having no programs in place to conduct self-assessments and/or internal audits. The organizations that indicated that they have monitoring programs in place generally gave examples of good practice, noting that they conduct annual audits or reviews and/or regular self-assessments.
- Transparency: A large majority of organizations indicated that they actively maintain privacy policies, which explain how they handle personal data, and which are often easily accessible to the public. Less than 10% of organizations responded having no policies at all.
- Responsiveness & Incident Management: Over half of the organizations surveyed indicated that they have documented incident response procedures, and that they maintain up to date records of all data security incidents and breaches. However, a number of organizations indicated that they have no processes in place to respond appropriately in the event of a data security incident. It also was found that a number of organizations had no processes in place to deal with the complaints and queries raised by data subjects.
Overall, participating DPAs found that some organizations have a good understanding of how to implement and demonstrate accountability, and many are building some of the elements of accountability. There is however a need for better implementation in the key areas of accountability.
As a result of the Sweep, individual DPAs may contact organizations in their own countries to assess what remedial action they need to take to improve user controls over their personal information. In addition, this Sweep demonstrates how important it is for all organizations to build and implement a comprehensive, consistent and sustainable data privacy management program that embeds privacy requirements into the fabric of organizations. Organizations will increasingly be expected to be able to demonstrate existence of such programs both to their internal stakeholders, boards and management and to data privacy regulators around the world.
To learn more about the trends observed at international level, please see the full international report. To learn more about the national results of the Sweep carried out in France, Ireland, the UK and in Hong-Kong, please see the CNIL’s press release, the DPC’s Sweep Results Reporting Form, the ICO’s blog, and the PCPD’s 2018 Study Report on Implementation of Privacy Management Program by Data Users respectively.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code