Last month during the annual Privacy.Security.Risk. event, the IAPP released the results of the 2017 IAPP-EY Annual Governance Report. We always look forward to this report, now in its third year, having now compiled survey responses provided by nearly 600 privacy professionals across the globe. The findings have been consistent with what we’re hearing from customers and industry partners, who are making frantic efforts to prepare to comply with the rigors of GDPR and its risk based framework.

IAPP-EY Governance Report-01.png

Unsurprisingly, preparations for the enforcement of the GDPR was front of mind for many of the survey respondents. This was despite the fact that over 75% of respondents were located outside of the EU, signaling the international interest this new regulation has garnered. There also remains the concern that companies are underprepared, as only 40% of organizations reported confidence that they’ll be compliant by May 25, 2018–indicating that, while organizations are increasingly prepared compared to reports from earlier this year, they still have a long road ahead.

Increasing Investments in Privacy Technology to Meet Growing Demands, Establish Program Scalability

Possibly motivated by the looming GDPR date and the potential fines for non-compliance up to €20M or up to 4% of the total worldwide annual turnover of the preceding financial year, another finding was an increasing awareness of and anticipated spending on technology solutions.

 “Perhaps the biggest takeaway from this year’s survey, however, is the role that technology is now playing in privacy management. The second most popular tool for GDPR preparation is investing in technology: 55% of respondents plan to make such investments, compared to just 29% last year.”

– IAPP-EY Annual Governance Report

In the quote above, “tool” means the most popular steps being taken to prepare for GDPR, the first most popular being investing in training. The report also found that privacy budgets are notably bigger, too, with mean privacy spending rising from $1.7 million to $2.1 million.

Takeaway: Now may be the time to argue for that headcount, increased budget, or new tool to help you operationalize your compliance program.

As Long as there is Risk, the Privacy Function is Here to Stay

Aligning with the push to invest in privacy technologies is the survey findings for why privacy exists as a function within organizations to begin with. The need to meet regulatory compliance requirements and reducing risk of data breach remain the two top reasons for privacy function within organizations– both reasons interestingly more and more streamlined with technology-aided automation in incident response.

This year also saw the need to meet client expectations become increasingly compelling for privacy within an organizations – which makes sense given the state of third-party vendor risks and regulator’s increased focus on business associates and managing risk.

Privacy Programs: Increasingly in the Limelight or Under the Magnifying Glass?

As privacy budgets have grown, so has staff count and visibility of privacy programs within their organizations. The survey found that leaders in privacy are reporting higher within their organizations, and progress on privacy initiatives is the top reported subject of board-level concern, displacing data breaches as the primary concern in 2016. This increased interest in privacy measures makes sense, as we’ve seen in recent years the consequences of poor privacy governance, especially in damage to company reputation and negative public opinion.

Privacy pros are also becoming more ingrained within their organization. Privacy professionals’ colleagues are showing an increasing willingness to involve the team early and often in activities and new initiatives. For ongoing activities, privacy professionals report getting involved at the outset 43% of the time, up from 31% just two years ago.

Takeaway: While this increased attention on privacy metrics and program initiatives can be a good way to advocate for increases in budget, staffing, and tools as discussed above, it also can mean a greater need to measure and report on progress. Benchmarking your privacy program is not without its challenges, but is the only way to show value of the program and continuously improve and streamline your incident response process. If you aren’t already, make sure you adopt automation, including incident response, to operationalize and scale your privacy program and have your program metrics in place and are continuously measuring your progress.

Bottom Line: Privacy Professionals Are Increasingly Valuable to Organizations, and Deserving of Support

“Boards are taking notice, new jobs have been created, employees throughout the firm have privacy front of mind, and the privacy tech industry is exploding.”

– IAPP-EY Annual Governance Report

As outlined by this report, the privacy profession is in the midst of some major changes – an exciting time filled with its own opportunities and challenges.

Related reading: