On November 9, 2016, AvePoint, the Microsoft Cloud expert and the Centre for Information Policy Leadership (CIPL) at Hunton & Williams, LLP released the first ever GDPR benchmark report from the results of a joint global survey we had launched in May 2016 concerning organizational preparedness for implementing the EU General Data Protection Regulation (GDPR). The GDPR replaces Directive 95/46/EC (the Directive) and will come into force in May 2018.
About the GDPR Benchmark Report Survey
The survey was designed to highlight the many changes the GDPR would bring to organizations’ compliance programs as well as IT systems and infrastructure to help them benchmark and prepare for their implementation and transition processes towards GDPR compliance. “We hope that this report will allow organizations to accelerate their progress toward true operationalization for GDPR readiness,” said Dana Simberkoff, Chief Compliance and Risk Officer at AvePoint.
The survey responses totalled 223 from predominantly multinational organisations, 93 percent of which operate in Europe, more than half in the US, and less than half in South America and Asia. Telecommunication and technology companies were the most highly represented respondents, followed by insurance and financial services companies, as well as pharmaceutical and healthcare companies. Organisations’ annual revenue size ranged from less than $1 million to more than $100 billion.
Highlights From the GDPR Benchmark Report
The GDPR signals the start of a new generation of data privacy laws and practice in Europe and beyond, It will bring significant changes to data privacy authorities, individuals, and organizations. It will affect the risk profile of organisations, impact their management, use and sharing of data, as well as their IT systems and infrastructure.
Our GDPR benchmark report hones in on nine key trends that relate to everyday business and compliance concerns, including:
- GDPR Impact: Respondents believe that the aspects of the GDPR that will have the largest impact on their organisations are the requirements for a comprehensive privacy management program, use and contracting with processors, as well as data security and breach notification. As expected, senior management is most concerned about the GDPR’s enhanced sanction regime and the data breach notification requirements, as well as how the regulation will impact their data strategy and ability to use data.
- GDPR Readiness: Organisations appear to be in the varying stages of preparation for the GDPR. While most have appointed a data protection officer (DPO), many organizations are either increasing resources in preparation or in the process of considering additional resources to meet the increased obligations under the GDPR.
- Data Transfers Outside the EU: Organizations appear to use a wide variety of mechanisms today for data transfer related to internal human resources (HR), consumers/customers, and vendors. According to responses, they will continue to do so after the GDPR is implemented. The most popular mechanisms today are, in descending order: Model Contracts, consent and necessity for contracts and Privacy Shield.
- Compliance Technology Tools and Software: Currently, organisations do not appear to use widely or have access to technology tools and software to aid with data privacy compliance tasks. Only a minority of organisations use technology to automate and industrialise their Data Protection Impact Assessments (DPIAs), data classification and tagging policies, data processing inventories, and delivery of the new data portability right.
Additional key issues covered in the GDPR benchmark report survey include consent and legitimate interest, DPIAs and Privacy by Design, the controller-processor relationship, security breach notification and the need for a holistic and collaborative approach to GDPR implementation between senior management and the legal, data privacy, information security and other groups within the company.
To access the full GDPR benchmark report, please visit AvePoint’s website.
For more information on the CIPL, please visit the Centre’s website.