March 21, 2019

Data protection regulators identify gaps in organizations’ privacy accountability measures

The Global Privacy Enforcement Network (GPEN), an informal network of over 60 privacy enforcement authorities in 39 jurisdictions worldwide, released its annual report (the GPEN Sweep) examining how organizations across various industry sectors have implemented privacy accountability into their internal privacy programs and policies.  The report found that while many organizations demonstrated a baseline understanding of privacy accountability, there was significant room for improvement.  For example, the GPEN Sweep found that fewer than 15% of organizations surveyed have processes in place to respond appropriately in the event of a data security incident, and fewer than half of respondents indicated that and that they would be equipped to respond to queries from relevant regulators.

GPEN also highlighted a number of privacy practices that it considered to be exemplary, such as designating a staff member responsible for privacy governance and management, certifying compliance with ISO/IEC 27001 security standards, and establishing internal privacy and data portals containing links to data protection policies, forms, templates, and materials.