By Pragasen Morgan, Partner, EY.
This time last year, many Data Protection Officers (DPOs) were still settling into their jobs, even though the GDPR implementation deadline was only months away. What did DPOs learn from such a demanding year and how do they see 2019 panning out? The EY International Association of Privacy Processionals (IAPP) survey, based on interviews with over 500 global privacy professionals, provides some fascinating insights.
Full compliance – a moving target?
It looks like the GDPR task is far from over for hard-working DPOs, with only 44% of respondents claiming their organisations are fully compliant, 34% saying it will be 2019 or later until they are, and a significant 19% believing full compliance will never happen.
More positively, GDPR is proving a little less complicated in practice than initially thought, with the perceived level of difficulty having dropped considerably for every individual compliance process. That is good news, given that only 27% of DPOs have full-time dedicated staff supporting them.
DPOs can take comfort from the fact that not everyone thinks they’re only there as a legal requirement. In fact, firms are split almost evenly as to their motivations for having a DPO. Slightly over half say they are just following the law, but 48% say they have created the position to serve as a valuable business function.
More DPOs, but spending has peaked
Three quarters of firms surveyed have now appointed DPOs and, of those, 45% have more than one. This should, however, be seen in the context that many DPO roles are being ‘stepped into’ by existing privacy decision makers. Almost six in 10 privacy leaders have taken on the DPO duties themselves.
In terms of spending, it was always likely that the high levels of initial investment in GDPR compliance, at an average USD 2.1mn (£1.65mn) in 2017, would tail off as systems got up and running. That was reflected in a significantly lower 2018 average spend of USD 1mn (£0.78mn). However, 55% of those surveyed say that spending will increase again next year, reflecting the fact that 65% believe their current budget is not enough.
Virtually all those surveyed described their company as data controllers and the vast majority used third-party companies to process data. Some delegate this to procurement, which may simply send out a stock questionnaire to the vendor. Others check for third-party certification, such as ISO 27001 (42%) or SOC2 privacy (31%). Many, however, run their own internal audit and investigation programmes.
GDPR is reshaping organisations
So, those are the hard facts, but what does the EY IAPP survey tell us about the importance of privacy-related issues within an organisation and how the DPOs role reflects this?
Here we find that GDPR has fundamentally changed the structure and business process of many organisations, with three in four in saying they’ve adapted products and services to ensure GDPR compliance. This growing awareness of the need to embed privacy from the beginning, rather than using performance compliance reviews, is a positive sign that the message is getting across.
Our own conversations with individual DPOs supports this aspect of the report’s findings. The DPO of a major Europe-based company that had recently made a major acquisition emphasised the need for global data privacy and security governance to be embedded consistently from top to bottom and within each operating unit and country, supported by solid KPIs. Also, key to success was the need to engage and consult with supervisory authorities in every country in which the company operates.
Broader business context
As the mandate to rapidly implement GDPR compliant processes fades, there is an opportunity to look at all privacy-related issues in the broader business context. This process requires a greater willingness from the business to seek advice from privacy professionals at all stages of commercial development. It will also require those professionals to bring the right mix of legal, business, data analytics and cyber skills to the table.
The fact that key DPO issues are being considered at higher levels can only help to foster much needed greater cross-organisation involvement. GDPR compliance maturity status has leapt to the top of topics reported to the board, while privacy metrics have also gained momentum. Nearly eight in 10 respondents say privacy matters are being reported to the company’s board.
This increased recognition of data privacy issues at C-suite level will prove crucial in helping organisations to win and maintain public trust. Only by doing so can they ensure access to the data that is so vital to fuelling future innovation and growth.
In the meantime, DPOs can rest easy in the knowledge that they are unlikely to be short of work. EY’s own research puts the shortage of DPOs in Europe alone at 50,000.
To find out more about how EY can help, please contact:
Pragasen Morgan, Privacy Leader UK or Ian Williamson, Director, EY Law, UK.
Follow our blog
Click here to sign up to our blog series.