IAPP in collaboration with EY and EY Law produced the “IAPP EY Annual Privacy Governance Report” which analyzes the state of the privacy profession in 2021 examining the ongoing effects of the COVID-19 pandemic on the privacy profession, including the evolution of remote/hybrid/office work.
The report also covers the future of business travel, legal compliance issues related to the EU General Data Protection Regulation and California Consumer Privacy Act, as well as the progress of organizations in adapting to new laws, including the California Privacy Rights Act and other U.S. state laws, as well as Brazil’s General Data Protection Law.
Major Privacy Law Updates around the World:
1. In July, the most important GDPR decision was issued when Luxembourg’s National Commission for Data Protection imposed an unprecedented 746 million euro fine on Amazon for alleged violations of the GDPR.
2. Recently the Irish Data Protection Commission’s 225 million euro fine against WhatsApp is more than the total of all other GDPR fines that have been imposed since the law went into effect.
3. In August, China adopted the Personal Information Protection Law, which is set to go into effect Nov. 1.
4. South Africa’s Protection of Personal Information IAPP-EY Annual Privacy Governance Report 2021 Act came substantively into force July 1.
5. At the state-level in the U.S., privacy laws continue to advance from passage to implementation and enforcement.
Major Highlights from the Report:
1. Privacy budgets have increased significantly since last year, with the average privacy spend among organizations being $873,000.
2. 45% of organizations are planning to hire at least one or two new privacy professionals over the next six months.
3. Most firms said they usually take at least a few days to respond to DSRs, with nearly 4 in 10 saying they take at least a week.
4. Regarding CCPA compliance, 26% of firms to which the law is applicable reported being in full compliance, while 41% reported being very compliant.
5. 20% of firms to which the GDPR is applicable rated themselves as fully compliant with the law, while 43% said they are very compliant.
6. Six in 10 organizations have a dedicated team in place for handling DSRs, with access requests and right-to-erasure requests being the two most common.
7. Top 5 data records collected from employees during Covid 19 were: Health status information, Temperature, Covid 19 test results, Contact tracing information, and vaccination records.
8. Most businesses that transfer data out of the EU have either continued to rely on or switched to using SCCs, which were updated by the European Commission in June.
9. 30% of the Privacy professionals report to the General Counsel, 18% to the CEO, and 16% to the CCO while the rest of them report to VP, Board of Directors, or the CFO.
10. The most common job title for an organization’s privacy leader is Chief Privacy Officer, followed by DPO and Director of Privacy.
Some privacy management statistics from the past year:
1. The most common metrics used for benchmarking involve incident response, impact assessments, training, and DSRs. Access requests and right-to-erasure requests are the most common DSRs across firms, with at least two-thirds receiving them.
2. Some of the most common audits or certifications that organizations require from entities that process their data include ISO 27001 (28%), SOC2 Privacy (22%), or some internally developed assessment (17%).
3. More than half of organizations handle DSRs manually, while 1 in 3 has automated the process. Organizations most frequently use privacy technologies for DSRs (40%), data mapping (39%), cookie consent/website scanning (39%), privacy and data protection impact assessments (37%), consent management (35%), and third-party risk management (32%).
4. 67% of survey respondents this year have a CIPP credential, up from an average of about 59% over the past 3 years.
5. Nearly 6 in 10 privacy pros said that complying with cross-border data transfer laws is their most difficult task.
6. Nearly half (48%) of firms have a single global privacy strategy.
7. More than 7 in 10 firms transfer data from the EU to a third country; SCCs are used by nearly all (94%) of them.
8. 10% of firms chose to localize data, stop transfers or halt related services as a result of the CJEU’s ‘Schrems II’ decision.
9. 3 in 4 firms have a DPO, with 15% outsourcing the role (up from 8% in 2020)
10. 6 in 10 organizations with an in-house DPO said the position handles matters across all countries, while 4 in 10 have country-specific DPOs.
11. The countries most likely to have a dedicated DPO are Germany, the UK, and Brazil.
12. Firms have an average of 18 full- or part-time privacy staff, with more in the EU than the US.
13. Privacy spending has increased significantly since 2020, with the typical (median) organization’s privacy budget being $350K.
14. 6 in 10 privacy pros expect their budget to increase over the next 12 months, while almost none expect it to decrease.
15. Privacy policies, training, and incident response are among the tasks virtually all privacy teams are responsible for.
16. US-based privacy pros focus more on vendors, CCPA and LGPD, and consumer sentiment than EU.
17. 6 in 10 firms have had a privacy program for 3 to 9 years, up from just half in 2020.
18. 8 in 10 of the privacy professional respondents of the survey work for a firm headquartered in either the US (54%), EU (16%), or UK (10%). About half (47%) of respondents are based in the US, 19% in the EU, and 14% in the UK.
Report source credits: EY