Review of data protection compliance indicates room for improvement

Share This Post

The annual Global Privacy Enforcement Network (GPEN) “sweep” is a joint study carried out across the world by data protection regulators (including the UK’s ICO). This year the study looked at how organisations have taken responsibility for complying with data protection laws, particularly the core concepts of accountability (which of course was key GDPR change).

The findings (based on 356 organisations across 18 countries (although not all questions were answered by all respondents)) indicated that whilst there was examples of good practice, there was an indication that some organisations had no processes in place particularly in terms of dealing with data subject rights and data breach issues.

The study looked at a number of indicators. The report provides more detail,  but generally speaking the key issues identified were:

  • 14% of organisations had poor internal data protection and privacy practices
  • 6% of organisations either didn’t say or didn’t have anyone taking responsibility in-house for data compliance
  • 6% of organisations had not delivered any staff training around data and privacy compliance
  • Of those organisations that did provide training only 50% provided regular refresher training or new starter training
  • Only a third of organisations conducted any form of regular review or audit
  • Only 55% of organisations said they had appropriate privacy policies in place (6% had nothing; 31% had something but was probably not easily accessible or may even be out of date)
  • 13% have no formal incident response procedure in place
  • 88% of organisations maintained some form of record of data security incidents
  • Just under half of respondents had processes in place to deal with data subject queries or complaints
  • Less than half had documented processes in place to assess privacy and data risks (e.g. DPIA); with 19% indicating no understanding of assessing data risks
  • 9% of organisations had no understanding of data being used around their organisation with some not even understanding the concept of what personal data is

It should be noted though that this was a global project and will include non-EU countries, so the results don’t necessarily indicate GDPR compliance per-se, but do provide an insight into a mixed bag of compliance across multiple industry sectors. For the UK, the ICO have indicated:

  •  Only 67% of organisations who provided a response said that they conduct regular self-assessments or audits of internal data protection standards and practices, and only 67% indicated that they maintain inventories of personal data held.
  •  83% of UK organisations who responded to the ICO’s queries indicated that they have implemented an internal data privacy policy and ensure that staff receive data protection training.
  • It was positive to note that 100% of organisations in the UK who provided a response indicated that they felt they had someone within the organisation at a sufficiently senior level responsible for privacy governance and management.

Commenting on the findings an ICO representative commented:

“The findings suggest that whilst organisations contacted by the ICO and our international partners have a good understanding of the basic concept of accountability, in practice there is significant room for improvement.

“It is important that organisations have appropriate technical and organisational measures in place. This includes having clear data protection policies, taking a ‘data protection by design and default’ approach and continuing to review and monitor performance and adherence to data protection rules and regulations.”

When it comes to GDPR compliance of course the “accountability” principle is a key change for compliance. It’s the data protection principle which requires you to demonstrate you are compliant and appears in various guises across the regulations from recording you have the right kind of consent (as the lawful basis for processing) to being able to demonstrate you keep up to date records of your data processing activities and regularly audit your compliance.

With the GDPR-anniversary fast approaching (yes it will be a year come the end of May since GDPR came into play!) it’s as important as ever that everyone takes stock of their continuing compliance and that will mean review policies, data flows, third-party processor due diligence and employee training for starters.

More To Explore

Eat. Sleep. GDPR. Repeat.

We live and breathe GDPR and ePrivacy compliance, so you don’t have too. Our GDPR UNLIMITED helpline is all about offering you help and support, whenever you need it most. As well as the unlimited helpline, you get up to 4 hours “hands-on” help each month, which we can configure to help you in anyway you need such as a GDPR review, or acting as your DPO.

As well as the unlimited helpline and hands-on help you get GDPR and privacy updates, access to our GDPR knowledge centre and webinars.

Unlimited email & phone support

Unlimited email and phone support. Email or organise a voice call as often as you need each month.​

Up to 4 hours "hands-on" help per month

We use these "hands-on" hours to do the GDPR work for you, such as reviews, acting as your DPO, checking DPIA, dealing with breaches, training your staff, etc. (Additional hours: £100+VAT per hour)

Online resources

Our Knowledge Centre gives you access to information, guidance, topic related guides and other tools to support your GDPR and PECR compliance

Updates, alerts & briefings

We provide updates and alerts and a monthly compliance briefing. You can either sign into the Knowledge Centre or sign up via email to receive an email every time we add a new update or alert

DPO services

Whether mandated or not we can act as your Data Protection Officer (DPO) and manage your day to day compliance

Webinars, workshops & training

Whether updates on the latest issue, workshops or team training, it's all included in your monthly retainer.

LIKE WHAT YOU'RE READING? join our email list

Sign up for monthly briefings and the occasional emails about our webinars and services

Want to know more about how we use your data? Check out our privacy policy