Which Privacy Assessments Reign Supreme?
In partnership with the IAPP, TrustArc recently completed a Survey on Privacy Program Metrics, which looked to establish baseline metrics by which privacy programs worldwide can benchmark themselves. The survey contained 27 questions, including demographic questions, and 496 people took the survey.
Some sample questions we set out to answer with the survey were:
- How many business processes are organizations mapping?
- How many reports are they creating to comply with Article 30 of the EU General Data Protection Regulation?
- How many privacy or data protection impact assessments are necessary?
- How many incidents rise to the level of breach reporting?
- Are people being overwhelmed by subject access requests?
The largest group of respondents works in the U.S. (39%), followed by the European Union, excluding the U.K. (32%), the U.K. (12%), and Canada (8%). Respondents were evenly distributed throughout the company sizes, with organizations that employ 25,001 people or more representing 25% of survey respondents, followed by organizations that employ 1-250 people (23%).
DPIAs Are the Most Common Type of Privacy Assessments
Many privacy regulations – and the GDPR in particular – take a risk-based approach to data protection. And, of course, risk lurks throughout the data processing life cycle.
Privacy impact assessments, often called Data Protection Impact Assessments in the EU, have long been integral to effective privacy programs.
DPIAs are now legally required in some circumstances by the EU GDPR, which has brought focus to the spectrum of impact assessments, from initial impact assessments and targeted assessments against certain frameworks to formal DPIAs delivered to EU data protection authorities.
Thus, we explored with respondents the types of privacy assessments their organizations currently conduct. A list of 11 different types of assessments, from which respondents could select multiple answers, as well as an open-ended “Other” answer choice, were presented.
The results showed that DPIAs were the most common privacy assessment, with 60% of respondents reporting that they conduct them. Privacy Impact Assessments (PIAs) were also conducted by about half (48%) of respondents.
For those organizations not completing DPIAs, the most common reason was that organization felt it did not engage in high-risk processing activities.
Solution: TrustArc Assessment Manager
Assessment Manager streamlines the end-to-end assessment process following the proven TrustArc methodology developed and refined through thousands of engagements.
Identify gaps, record risks, manage tasks, maintain comprehensive audit trails, and produce compliance reports to meet GDPR Article 35 DPIA, Vendor Risk, International Data Transfer, and other regulatory requirements.
The assessments, including the DPIA assessment, are powered by intelligent content and leverage built in logic and automated risk scoring.
Skip logic functionality, as well as configurable compliance expressions, enable systematic identification of non-compliant answers and recommendations on how to remediate potential issues.
TrustArc also has a large team of expert consultants who can help supplement your resources to create and implement your GDPR program.
To read the full report, download it here.