geodetic benchmark in Yosemite National Park
PHOTO: Margaret W. Carruthers

The European Union’s General Data Protection Regulation (GDPR) has been years in the making. The final version (agreed upon in December of 2015) will go into effect on May 25. To those of us working in the privacy field, it feels like you would quite literally need to be living under a rock to be unaware of these new requirements for most privacy, security and information governance programs. Regardless, many organizations are unprepared.

In order to assess global readiness for GDPR, my company, AvePoint, conducted a survey in 2016 with the Centre for Information Policy Leadership (CIPL), a global privacy policy think tank, to ask companies around the world to assess their readiness for the GDPR and to document any concerns they might have about the new regulation. The first annual benchmark report was presented at the International Association of Privacy Professionals (IAPP) Data Protection Congress in Brussels on Nov. 9, 2016.

The objective of the survey was to help organizations benchmark and prepare their GDPR implementations and change management programs. Our questions focused on key change areas and topics of the GDPR that relate most to everyday business and compliance concerns. CIPL and AvePoint launched a second global survey this year to further understand GDPR readiness among organizations and to benchmark progress made since the first survey.

The updated survey focused on many of the same key change areas and topics as the 2016 report, along with some new areas, all of which relate to everyday business and compliance concerns for organizations.

The 2018 survey results revealed 12 key trends, outlined in the following excerpts from our full 2018 GDPR Benchmark Report.

Related Article: An Introduction to the GDPR

1. GDPR Impact, Organizational Readiness and Resources

Building and maintaining a comprehensive privacy compliance program, rules surrounding data security and breach notification, and compliance with individual rights continue to be areas of high change impact on organizations. Core processing principles are reported to present a higher change impact than in 2016, and this could be as a result of organizations working to re-engineer systems and processes to comply with the newly introduced principles ahead of 25 May 2018. Senior management continues to express concern around the enhanced sanction regime and stricter rules on consent and the reuse of data. This year, restrictions on profiling and enhanced individual rights appear to present a higher concern than they did previously. To tackle these concerns and change impacts, over half of all respondents have committed additional budget to GDPR implementation, with increases ranging from hundreds of thousands of dollars to upwards of $50 million. This wide range reflects the varying status of GDPR implementation within organizations, covering the spectrum between organizations with mature privacy programs and those just starting.

2. Areas in Need of Further Clarity

Respondents noted that legitimate interest remains the area in need of most clarity under the GDPR, followed by data protection impact assessments and risk, breach notification, notice and consent and privacy by design. These are complex topics, and ensuring their correct implementation is by no means a light task. Organizations will have to work hard to find and demonstrate best practices to ensure compliance with all aspects of the GDPR, including less straightforward aspects. The EDPB [European Data Protection Board] and national data privacy regulators will have a continued role to play in clarifying the less certain areas.

3. Consent and Legitimate Interest

The GDPR introduces new requirements which organizations will have to comply with to ensure they obtain valid consent from individuals before processing their data. Organizations reported that ensuring individuals can withdraw consent at any time, ensuring consent is evidenced and documented, and ensuring consent is separate for each processing operation will most impact their current practices for obtaining consent. Almost half of the organizations reported they will increasingly rely on legitimate interest to process data once the GDPR enters into force. This is reflective of the increased difficulty in obtaining valid consent under the GDPR and [the fact] that organizations view legitimate interest as a more appropriate processing ground for many data processing contexts in the modern information age.

4. Records of Processing and Data Mapping

While technology tools and software are the number one priority for GDPR-focused budget spending, much work is still to be done to assess and procure these solutions. The survey data shows respondents still rely heavily on manual methods for building and maintaining inventories of their data processing. Only a fifth of respondents use automated software tools to track their data’s full life cycle, and almost 60 percent of organizations do not have any procedures in place to identify and tag data. Of those that do, only 9 percent use automated tagging. This is one area where organizations will need to invest in technology and tools to build and automate these processes to ensure compliance with several GDPR requirements. The role of a DPO [data protection officer] or privacy team as “technology buyer” will be pertinent to such investments. IT and IS stakeholders should also be part of these investment and purchasing decisions.

Related Article: GDPR Compliance Requires Looking at the Big Customer Data Picture

5. DPIAs and Security Design Assessments

Almost 50 percent of organizations reported carrying out DPIAs [data protection impact assessments] in circumstances envisaged by the GDPR. However, almost a quarter feel DPIAs are not applicable to their organization. It will be crucial for organizations to assess their processing operations to see whether any of their data processing activities could result in a high risk for individuals. A similar number of organizations conduct security design assessments for the creation of new IT systems or processes. For organizations that carry out DPIAs and security design assessments, the process remains mostly informal, with most relying on the use of spreadsheets or Word documents with questions. As with data classification and tagging, investing in appropriate technology will be essential to ensuring compliance for new data processing activities.

6. Automated Decision-Making

Over two-thirds of organizations reported they carry out some form of automated decision-making. There appears to be confusion among organizations as to which types of automated decisions fall within the scope of Article 22 of the GDPR, with many reporting profiling alone as an example of automated decisions they take under Article 22. Organizations must critically assess whether their automated decisions in fact produce legal or similarly significant effects, bearing in mind this is a high bar to meet and the application of Article 22 is reserved for only truly impactful solely automated decisions.

7. Controller-Processor Relationship and Agreement

Over two-fifths of organizations started reviewing and renegotiating their processing contracts, according to this year’s survey. However, almost a quarter of organizations have not yet implemented any processes to update their contracts or review or renegotiate existing agreements. Some GDPR-required terms are already included in existing contracts by some organizations, but overall, organizations will have to closely look at all their controller-processor agreements ahead of May to ensure they include all the new required terms introduced by the GDPR. In respect of processor obligations, maintaining records of all processing activities was reported as requiring the most internal consideration and change for organizations. This was followed by complying with the terms of the controller-processor agreement. This is not surprising, given the data shows there is much work to be done to update such agreements.

8. International Data Transfers

Organizations continue to use a wide variety of transfer mechanisms to legitimize data transfers outside the European Union, depending on the type and circumstances of the transfer. Model clauses remain the current most popular transfer mechanism, followed by the Privacy Shield and necessity of contract. Post-GDPR, reliance on model clauses will increase, along with reliance on the Privacy Shield and binding corporate rules. Despite little information being available on new GDPR transfer mechanisms such as adequate safeguards and certifications, for the second year in a row, respondents indicated they are likely to use these mechanisms, with almost a fifth of organizations reporting they will rely on the latter post-GDPR.

Related Article: Ready for Understandable Privacy Policies? A Look at GDPR's Impact

9. Breach Notification

Given the rise of cyberattacks in the modern information age and new security breach notification requirements under the GDPR, along with potentially massive penalties for failing to properly handle breaches, companies will have to work to ensure they have appropriate security measures and procedures in place ahead of May. Encouragingly, the majority of organizations have put internal reporting procedures and incident response plans in place. However, organizations still have some work to do in implementing other data breach response procedures such as conducting dry runs and retaining PR and media consultants. Almost two-fifths of respondents have procured cyber insurance coverage.

10. Main Establishment

A significant proportion of organizations will be able to benefit from the main establishment and lead supervisory authority provisions of the GDPR. About two-thirds of survey respondents reported they will have a main establishment, with just over a third reporting they will have multiple establishments in multiple EU member states.

11. Right of Data Portability

There continues to be confusion around the application of the right of data portability, with 54 percent of organizations reporting they do not consider the right of data portability to be relevant to them, or that they are unsure whether it is. A higher percentage of organizations are, however, implementing procedures to enable an individual to transmit his or her data to another controller in a machine-readable format (22 percent). This is a positive increase compared to 2016 when only 10 percent of respondents reported having such procedures in place.

12. Seals and Certification

Over 50 percent of organizations reported they would rely on certifications to demonstrate their compliance program, which is a significant increase over the two-fifths of organizations that reported the same in 2016. This sends a strong signal in terms of industry’s readiness to embrace certifications at program level, providing they relay benefits for them. Over one-third of respondents reported they would rely on certifications for specific products and services and for data transfers.

Balance Transparency With Privacy

The GDPR, like most other privacy and security laws, reframes or reimagines the best practices companies have had in place for many years. But the time is now to put good policies, procedures and technical controls in place. A GDPR strategy in combination with solid education, technical automation and measurement will enable organizations to appropriately balance collaboration and transparency with data protection and privacy.