GDPR Compliance Benchmarking: Measuring Accountability

Transcription

1 GDPR Compliance Benchmarking: Measuring Accountability

2 Copyright 2017 by Nymity Inc. All rights reserved. All text, images, logos, trademarks and information contained in this document are the intellectual property of Nymity Inc. unless otherwise indicated. Reproduction, modification, transmission, use or quotation of any content, including text, images, photographs etc., requires the prior written permission of Nymity Inc.

3 Executive Summary The concept of accountability has emerged as a dominant theme in global privacy and data protection law, policy, and organisational practices over the past years and is considered fundamental to privacy management. Under the EU General Data Protection Regulation (GDPR) it is a legal obligation. Article 5 requires that organisations be able to demonstrate compliance with the data privacy principles articulated ( accountability ). This obligation links closely to Article 24 which requires the implementation of appropriate technical and organisational measures and the obligation to demonstrate that the processing of personal data is performed in compliance accordance with the GDPR. What appropriate means is largely dependent on the specifics of the individual company; what works for one company does not necessarily work for another, but the obligation to demonstrate compliance exists in all instances. Expectations from regulators have shown that the obligation to demonstrate compliance is more than a one-off inventory or snapshot of your operations at a certain moment in time. It is not a tick-box exercise or a one-time gap analysis. Demonstrating compliance requires ongoing awareness and understanding of your personal data processing operations and embedding privacy management throughout your organisation. Over the past few months, Nymity has embarked on an ongoing effort to research and benchmark the state of GDPR compliance and to offer insights into how regulators and organisations can measure GDPR compliance. This report is based on an analysis of the aggregated data of a total of 190 organisations worldwide and 46 EU companies that baselined their privacy compliance and management programs using the Nymity Privacy Management Accountability Framework (the Accountability Framework ) and Nymity s automated benchmarking tool Nymity Benchmarks. Among EU organisations, a wide variety of industries are represented with the largest concentrations in Finance, Professional Services and Manufacturing and there is a roughly even distribution of size of companies. 2

4 GDPR compliance insights are woven throughout the main body of the report. While each reader will find different areas of the report valuable, we would like to offer some key insights: Organisations have invested heavily in GDPR compliance activities related to data subject access rights, breach management, Standard Contractual Clauses and transparency requirements Of the 55 technical and organisational measures that were benchmarked in relation to GDPR obligations (note: not all 55 apply to all organisations) the top implemented measures relate to those addressing data subject access rights articulated in Articles 15 to 19. Additionally, organisations have prioritised addressing the transparency requirements found under Articles 12 to 14. Interestingly, the number 2 ranked measure was putting in place Standard Contractual Clauses as a data transfer mechanism. No doubt this has to do with the invalidation of the EU-US Safe Harbor Agreement and uncertainty about the EU-US Privacy Shield. By contrast, in Nymity s 2015 Benchmarking study, this measure was one of the lowest ranked implemented measures. Organisations are dedicating resources to addressing Article 30 (Records of processing activities) requirements and procedures related to Data Protection Impact Assessments and Privacy by Design The top ranked In progress measure relates to maintaining a data inventory to address Article 30 requirements. In Nymity s 2015 benchmarking study, this measure was also the top ranked In progress measure for all global organisations represented. Overall, global organisations have not made much progress in this area. Additionally, organisations are prioritising measures that relate to DPIAs and Privacy by Design but the implementation rates for these measures are currently quite low. Over 50% of the organisations in this study have appointed a Data Protection Officer There is great interest from both organisations and regulators regarding the appointment of a data protection officer (DPO). Under the GDPR, not all organisations are required to appoint a DPO. The vast majority of organisations in this research identified this as applicable and 100% of financial company participants (8) have appointed a DPO. If you have not yet baselined and benchmarked your organisations GDPR compliance program to compare against others, we hope the insights presented in this report will be a helpful guide in measuring the current state of your program and priorities. 3

5 Topics Background and Method Current State of GDPR Compliance: Top Implemented Technical and Organisational Measures Overall Looking Ahead: Top In Progress Measures Resource Challenges: Top Desired Measures Insight Highlights: Appointment of a DPO Third-Party Risk 4

6 Background and Method 5

7 Research Objectives The primary goal of this research is to present an overall picture of GDPR Compliance, approximately 8 months before the GDPR comes into effect, by analysing the comparative benchmark data of existing GDPR compliance initiatives at responsible organisations. The research is also intended to help organisations understand how they might be able to measure compliance and accountability within their own organisation. It is our intent that the insights accumulated from this research will help organisations gain critical insights into their own compliance programs and will help regulators understand the practical, operational initiatives that organisations are undertaking as part of their GDPR compliance preparations. Background on the Research Data and Method Organisations all over the world, whether building or enhancing a privacy management program, preparing to comply with the GDPR or far along the process of complying, are using the Nymity Privacy Management Accountability Framework (the Framework ) to plan, structure, and report on their program and their compliance. The Framework evolved from Nymity s research on Accountability. In 2002, Nymity began its research on accountability and building compliance solutions for individuals responsible for privacy within organisations (the Privacy Office ). In 2009, this research was enhanced through on-the-ground workshops around the world, including privacy and data protection regulators, examining what it would take for organisations to demonstrate accountability (e.g. internally to management or a board or externally to a regulator). Our research revealed that no matter the industry or jurisdiction, privacy officers and other privacy leaders in organisations conduct many of the same activities. This led to the development of the Framework which is a comprehensive list of technical and organisational measures (privacy management activities) that is jurisdiction and industry neutral and, structured into 13 data privacy management categories (e.g. Manage Third Party Risk and Maintain Training and Awareness Program ). It has been made available to the global privacy community, at no cost, and has become a recognised framework used for a variety of purposes including structuring a privacy management program, baselining privacy management programs, other research initiatives and, as mentioned above, to plan and structure GDPR compliance initiatives. The Framework also provides the privacy office with a structure to effectively define and communicate privacy management within its organisation and, ultimately, to demonstrate accountability. 6

8 Framework Mapping to the GDPR Nymity has mapped the Framework to hundreds of laws, privacy frameworks and industry guidelines including the GDPR. Mapping to the GDPR has helped organisations streamline their compliance planning by identifying a selection of specific technical and organisational measures that may help produce documentation of compliance. When Nymity s expert research team analyzed the GDPR and mapped it to Framework, it found that: 39 of the 99 GDPR Articles require evidence of an ongoing technical and organisational measure to demonstrate compliance, and Those 39 Articles map to 55 technical and organisational measures identified on the Framework (Note: not all GDPR obligations apply to every organisation) Baselining GDPR compliance The organisations in this study used Nymity s automated benchmarking tool, Nymity Benchmarks to baseline their existing compliance efforts in relation to the 55 technical and organisational measures. Each measure was assigned a status. The status categories are identified below: Implemented In Progress Desired N/A The activity is already in place and have sufficient resources to be maintained. The decision has already been made, resources allocated, and action may be underway toward implementing the activity. The activity is applicable or relevant for GDPR compliance, but is not currently implemented or resourced (planned). Not applicable for GDPR compliance in the organisation. 7

9 To create this initial report and group of insights, the aggregated data of the 46 EU companies were analysed and studied and in some instances, comparisons were made to benchmark data from other regions of the world, the entire global dataset or industry and size segments. IMPORTANT NOTE: There are of course, important caveats. This research report only reflects GDPR compliance initiatives at organisations that have a privacy office. While the privacy programs represented in this report are at various stages of maturity, the research does not include organisations without individual(s) responsible for privacy, and therefore, the data presented is focused on responsible organisation that have invested in GDPR compliance and privacy management. 8

10 Overview of the Organisations Among the 46 participating EU organisations, a variety of industries are represented including finance, manufacturing, healthcare, pharmaceutical, professional services and insurance. The largest concentration of organisations were found in in finance, professional services and manufacturing sectors. There is a fairly even distribution of size of companies with the largest in the 5,000 to 25,000 employee range. It is important to note that these organisations fall into two categories: 1. Organisations entirely located in the EU 2. Global companies with EU operations. For global companies, only the EU operations were baselined and benchmarked. 9

11 Current State of GDPR Compliance: Top Implemented Technical and Organisational Measures Overall 10

12 The Top 10 Implemented Measures Reflect Compliance Initiatives Respecting Data Subject Rights, Transparency, Cross-Border Transfers and Breach Management Implemented measures are those that are resourced, developed, maintained, and documented. Important note: The Framework includes 13 security-related activities within the privacy management category entitled Manage Information Security Risk. Two of these activities ranked in the top most implemented activities 1. This was expected, as responsible organisations have been addressing personal data security long before implementing a GDPR compliance program. We have removed these activities from our analysis in order to highlight compliance measures outside of the security area. The 10 implemented overall show a strong focus on addressing measures related to data subject rights, breach management, cross-border transfers and transparency. 1 Maintain a data privacy policy 82.61% 2 Use contracts as a data transfer mechanism (e.g., Standard Contractual Clauses) 78.26% 3 Maintain a data privacy notice that details the organisation s personal data handling practices 76.09% 4 Maintain procedures to respond to requests and/or provide a mechanism for individuals to update or correct their personal data 76.09% 5 Maintain a log to track data privacy incidents/breaches 73.91% 6 Conduct privacy training 73.91% 7 Maintain procedures to respond to requests for access to personal data 71.74% 8 Identify ongoing privacy compliance requirements, e.g., law, case law, codes, etc % 9 Maintain procedures to respond to requests to opt-out of, restrict or object to processing 65.22% 10 Maintain a data privacy incident/breach response plan 65.22% 1 Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring (84.782% implemented); Maintain procedures to restrict access to personal data (73.91% Implemented) 11

13 Using Standard Contractual Clauses as a Data Transfer Mechanism is the 2 nd highest implemented activity. 78% of EU organisations identify using Standard Contractual Clauses as a data transfer mechanism. In Nymity s 2015 global benchmarking study this activity was among the lowest implemented overall. No doubt, the invalidation of the EU-US Safe Harbor agreement and uncertainties about the future of the EU-US Privacy Shield accounts for the high implementation rate of this activity now, both among EU organisations and global organisations overall. From a global perspective, all organisations in Nymity s Benchmark data set have invested in this activity as well. EU (46) ALL (190) Looking at the rankings for implementation of BCRs and the EU-US Privacy Shield we see: % consider BCRs not applicable to their organisation 50% consider EU-US Privacy Shield not applicable more EU organisations have EU-US Privacy Shield in place (35%) than BCRs (21%) 12

14 3 of the Top 10 Most-Implemented GDPR Measures Relate to Data Subject Rights Of the top 10 implemented activities, 3 relate to GDPR obligations respecting the rights of data subjects Nymity has identified 10 technical or organisational measures that organisations put in place to maintain effective procedures for interacting with data subjects about their rights. Six of these activities were mapped to the GDPR and are highlighted in blue. Three of those measures were among the top 10 implemented. 13

15 3 of the Top 10 Most-Implemented GDPR Measures Relate to Data Subject Rights cont % maintain procedures to respond to requests and/or provide a mechanism for individuals to update or correct their personal data (Article 16 Right to Rectification) 71.74% maintain procedures to respond to requests for access to personal data (Article 15 Right of Access) 65.22% maintain procedures to respond to requests to opt-out of, restrict or object to processing (Article 18 Right to Restriction of Processing) Putting in place procedures to address data subject rights is not new and this is a very mature component of global privacy law 2 : Currently, 112 countries have access requirements o Globally, there are 1,159 obligations o Existing EU laws contain 192 obligations related to data subject access requests. Because this is a mature area of law, it is not surprising that the implementation rates rank so high. 2 The following statistics were generated from Nymity LawTables 14

16 EU Organisations have invested heavily in Privacy Training The obligation to provide privacy training and awareness derives from Article 39 of the GDPR regarding the Tasks of the Data Protection Officer. Article 39 Tasks of the data protection officer Tasks of the data protection officer 1. The data protection officer shall have at least the following tasks: (a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; 73.91% Implemented 19.57% In Progress 15

17 EU Organisations have invested heavily in Privacy Training cont. Compared to other regions we see this as an area in which organisations around the world, regardless of the applicable compliance regime, have invested significant resources. The fact that these numbers reflect the top implemented activities likely demonstrates that this measure is considered to have a significant impact on privacy risk mitigation and is more straightforward to address than others. All Organisations (190) EU (46) 16

18 2 of the top 10 implemented measures relate to Maintain a Data Privacy Breach Management Program Article 33 of the GDPR (Notification of a personal data breach to the supervisory authority) is garnering the attention of organisations, especially given fines of up to 2% of worldwide turnover for non-compliance. It is not a surprise that we see prioritisation in this area: 2 of the top 10 most implemented measure relate to this category. Nymity has identified 9 technical and organisational measures that relate to this area and has mapped 3 of them to obligations in the GDPR % maintain a log to track data privacy incidents/breaches (Article 33 Notification of a personal data breach to the supervisory authority) 65.22% maintain a data privacy incident/breach response plan (Article 33, 34) % maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) protocol 17

19 Breach Management Program Activities - Regional Comparison Maintain a log to track data privacy incidents/breaches Maintain a log to track data privacy incidents/breaches Maintain a breach notification reporting protocol EU (46) Global US (36) In general, we see both EU and US organisations are invested quite heavily in procedures related to tracking incidents/breaches and maintaining a response plan. While, in general, EU companies have not had to deal with breach legislation on the same level as US companies, it is clear this is now an area of focus. It is interesting to note that US companies currently rank higher in procedures relating to reporting protocols -- no doubt because of strict US state law requirements that have existed for some time. Overall the numbers are quite high amongst these measures which may be due in part to a large percentage of regulated companies who are part of the data set (e.g. Financial) and have had to deal with these provisions for some time. 18

20 Breach Management Program Comparison by Industry Maintain a log to track data privacy incidents/breaches Maintain a data privacy incident/breach response plan Maintain a breach notification reporting protocol ALL (46) Finance (8) Manufacturing (12) Professional Services (6) From an industry perspective, we see all organisations consider these measures applicable to their organisation. Again, the implementation rates for putting in place a breach notification reporting protocol are tracking slightly behind the other measures. 19

21 Organisations Prioritise Resources for Maintaining a Data Privacy Policy and a Data Privacy Notice Within the privacy community, the terms privacy policy and privacy notice are often used interchangeably. Nymity s Accountability Framework makes a clear distinction between the two terms and this is reflected in the GDPR as well. A privacy notice is needed under Article 12 on Transparency and a privacy policy relates to the overall set of requirements embedded in the organisation as required by Article 24. Activities related to each are among the highest implemented by organisations. Privacy Policy 82.61% - Top Implemented overall Privacy Notice 76.09% Implemented A privacy policy is an organisational-level document created to provide guidance to employees around the processing and protection of personal information. It synthesises business, legal, regulatory, and data subject requirements into comprehensive guidance for the organisation to achieve compliance with laws, regulations, and contracts while reducing the risk of a data breach. Data privacy notices are tailored to the audience and means of communication and reflect an organisation s privacy policy and practices. Generally, they are made readily available to the public. Articles 12 to 14 of the GDPR address transparency for data subjects and the detailed content that is required to be provided at the time when personal data are obtained. We note that most jurisdictions around the globe legally mandate a notice requirement and some also mandate the creation of an organisational privacy policy. Our 2015 study showed that implementation rates for maintaining a data privacy policy and a data privacy notice were also among the highest implemented. 20

22 Looking Ahead: Top In Progress Technical and Organisational Measures 21

23 Plans for Organisations in The Top Ranked In Progress Measures In Progress measures are defined as those in which a decision has already been made, resources allocated, and action may be underway toward implementing the measure. At a glance, the top 5 In Progress measures are: 1 Maintain an inventory of personal data or records or processing activities (Article 30) 60.87% 2 Integrate Privacy by Design into system and product development (Article 25) 54.35% 3 Maintain PIA/DPIA guidelines and templates (Article 35) 47.83% 4 Conduct PIAs or DPIAs for changes to existing programs, systems, or processes (Article 35) 47.83% 5 Maintain documentation as evidence to demonstrate compliance and/or accountability (Article 24) 47.50% 22

24 EU Organisations Prioritise Article 30 Requirements Regarding Records of Processing Activities The top In Progress measure is maintaining a data inventory and further analysis reveals how this is considered a top planning priority: 100% of EU organisations in this research identify that maintaining a record of processing is applicable to them 60.87% of EU organisations are In Progress of addressing the requirement 21.74% of EU organisations have implemented the measure compared with 18.42% of global organisations and 25% of US organisations. Creating a data inventory is a difficult task and requires a significant investment of resources, accounting for the low implementation rates across the globe. However, the GDPR s Article 30 on the Records of processing activities does not require a traditional personal data inventory. Article 30 replaces current EU legal obligations requiring organisations to notify and register processing activities with local data protection authorities (DPAs). Under the GDPR, organisations are no longer required to make such notifications but rather are required to maintain a record of all their processing activities internally, and to make them available to supervisory authorities upon request. The existing requirements vary by country with some countries requiring more notifications and more information as part of the notification, than others. Organisations compliant with this requirement, will have this information readily on hand and in theory it should not be difficult to pull together the Article 30 record quickly. However, in practice, Nymity observes that many organisations are undertaking a more traditional data inventory. Paul Breitbarth, Nymity s Director of EU Certification Research and Senior Solutions Advisor (and former Senior International Officer, Dutch DPA) observes: From conversations with our customers and prospects, we also learn that many organisations see the introduction of the GDPR as a suitable moment to revisit their processing activities and see if processes can or may need to be streamlined, and to find out if some processing activities may have been missed in passed notifications. 23

25 Maintain a Data Inventory - Regional Comparison EU Overall (46) US (36) Global (92) In our 2015 Benchmarking study of global organisations, this activity also ranked first for In Progress activities. Looking at the data today, we can see that global companies have not made a great deal of progress and implementation rates remain rather low for both global and EU organisations. 24

26 Maintain a Data Inventory Comparison by Industry Comparison by Size EU Overall (46) Finance (8) Manufacturing (12) Professional Services (6) (6) ,000 (14) 25, ,000 (5) >100,000 The smallest and largest EU organisations have made the greatest strides in this area. Organisations with 25,000 to 100,000 of EU employees have the furthest to go and represent the largest category for this activity having the status desired. 25

27 3 of the Top In Progress Activities Relate to Monitor for New Operational Practices Nymity has identified seven different measures that relate to the practices organisations put in place in order to identify new processes or material changes to existing process and to ensure that Privacy by Design principles are integrated into product and system development. All of the measures in this category map to obligations in the GDPR. Three measures in this category rank in the Top 5 list of In Progress activities: 54.35% are integrating Privacy by Design into system and product development (Article 25) % maintain PIA/DPIA guidelines and templates (Article 35) 47.38% conduct PIAs or DPIAs for changes to existing programs, systems or processes (Article 35) 26

28 Conduct PIAs/DPIA for new programs, systems and processes Conducts PIAs/DPAIS for changes to existing programs EU Overall (46) US (36) ALL (190) Overall, the implementation rates for measures related to DPIAs are significantly lower than other privacy management areas. This aligns with Nymity s perspectives working with hundreds of organisations who attest that the traditional approach to PIAs/DPIAs presents many challenges including: resource intensity for the Privacy Office/DPO, business units are not generally motivated to take ownership of the process or complete the PIA, the advice provided ages quickly, PIAs/DPIAs present a standard and inflexible methodology and, unnecessary resources are used for similar processing projects. Comparing the statistics for Conducting DPIAs for changes to existing programs and Conducting PIAs/DPIAs for new programs, we observe higher rates of implementation for measures related to conducting DPIAs for new programs. Constantine Karbaliotis, Nymity s Vice President, Solutions Partnerships and former Global Chief Privacy Officer suggests that this aligns with his own experience and that of hundreds of organisations he works with. In general, companies have practices around new products and procedures but after that, the results tend to sit on the virtual shelf. It is simply more straight-forward to do the first-level work than it is to maintain a procedure going forward. 27

29 EU Organisations Prioritise Maintaining Documentation as Evidence to Demonstrate Compliance As mentioned above, the obligation to demonstrate compliance is a legal obligation under the GDPR. Article 5 requires that organisations demonstrate compliance with the data privacy principles articulated ( accountability ) and this obligation links closely to Article 24 which requires the implementation of appropriate technical and organisational measures and the obligation to demonstrate that the processing of personal data is performed in compliance accordance with the GDPR. The below chart demonstrates how seriously EU organisations have taken this obligation; 100% of organisations consider this activity applicable, with only 15% organisations selecting the status desired for this measure. There is quite a stark contrast to US companies, all of which consider this measure applicable but with over 50% in the desired state. EU Overall (46) US (36) 28

30 Resource Challenges Top Desired Technical and Organisational Measures Overall 29

31 Organisations Require additional Guidance or Resources to Address some of the More Challenging Obligations under the GDPR Desired measures are those that are applicable or relevant for GDPR Compliance, but are not currently implemented or resourced (In Progress). At a glance, the top 5 Desired Measures are as follows: Technical or Organisational Measure Implemented (%) In Progress (%) Desired (%) N/A (%) Maintain procedures to respond to requests for data portability Conduct an Enterprise Privacy Risk Assessment Maintain policies/procedures for secondary uses of personal data Maintain procedures to respond to requests to be forgotten or for erasure of data Maintain policies/procedures for the deidentification of personal data 12.50% 25.00% 45.00% 17.50% 26.09% 23.91% 43.48% 6.52% 32.61% 13.04% 41.30% 13.04% 35.00% 20.00% 41.00% 5.00% 30.43% 26.09% 36.96% 6.52% Nymity s experience working with hundreds of organisations suggests that compliance areas like putting in place procedures to respond to requests for data portability, requests to be forgotten and de-identification procedures continue to cause confusion requiring additional guidance from Regulators. The statistics above support this observation as we see these activities ranking among the lowest implemented but highest Desired. 30

32 Insight Highlight: The Status of Appointing a DPO Managing Third-Party Risk 31

33 The Status of Appointing a DPO There is great interest from both organisations and regulators regarding the appointment of a DPO. Under the GDPR, not all organisations are required to appoint a DPO but an organisation must appoint a DPO if it is a public authority or public body under applicable EU Member State law or if its core activities consist of personal data processing which: requires regular and systematic monitoring of individuals on a large scale; or is about special categories of data on a large scale and data relating to criminal convictions and offences. As we can see from the image below, 54.75% of EU organisations in this research have appointed a Data Protection Officer and 100% of financial companies have done so (8 organisations represented). 32

34 Managing Third-Party Risk There is a great deal of interest among organisations and regulators regarding managing third-party risk. The Nymity Framework identifies nine measures reflecting the kinds of policies and procedures organisations put into place to manage third-party risk. Three of these measures map to obligations in the GDPR. Of these relevant activities, EU organisations show a 41.34% implementation rate. Below we examine the data from the perspective of organisational size and industry sector. 33

35 Measures Related to Managing Third-Party Risk: Industry Size Finance Manufacturing Professional Services 5,001-25,000 25, ,000 >100,000 Larger companies are a little further along in putting in place policies and procedures to address third-party risk. Among the three industry categories represented, professional services companies (e.g. insurance companies, brokerages and law firms) appear to be making the most progress. 34

36 Conclusion 35

37 Conclusion Organisations are making significant progress in addressing the multitude of compliance obligations presented by the GDPR. Responsible EU organisations have invested heavily in technical and organisational measures relating to data subject rights, transparency obligations and breach management procedures. They have dedicated resources and are planning measures related to Article 30 records of processing and measures relating to Data Protection Impact Assessments and Privacy by Design. It seems that more guidance may be needed for organisations to adequately address some of the more challenging measures specifically in the area of data portability and right to erasure. If you have not yet benchmarked your GDPR compliance against other organisations, we hope the insights presented here will be a helpful guide in measuring your organisation s current state. 36