Oct 2019 Charity & NFP Law Update
In late September, 2019, the International Association of Privacy Professionals (“IAPP”) and Ernst & Young (“EY”) jointly released the fifth IAPP-EY Privacy Governance Report (the “Report”). The Report compiles and summarizes results from a global survey of IAPP members on issues related to privacy program structures (e.g. budget, staffing and career development), compliance with the EU’s General Data Protection Regulation (“GDPR”), and trends in privacy and data protection professionals’ daily routines, among other matters.
The Report, which surveyed respondents in the US, EU, UK, Canada, and other countries, reveals some interesting statistics. For example, by the first anniversary of the GDRP’s implementation, over 500,000 organizations had data protection officers (“DPOs”), far in excess of pre-GDPR estimates. While most organizations had DPOs because they were required to do so under the GDPR, the survey found that some respondents had a DPO even if they were not required to have one. With regard to the role of the board of directors, the Report states that the board’s role in privacy matters has been elevated as a result of the US Federal Trade Commission’s ruling on Facebook and Cambridge Analytica, which brought privacy risks to the forefront of organizations. Yet, when it comes to internal reporting on privacy, the Report found that, while EU-based privacy leaders generally report to the board of directors, US-based privacy leaders generally report to the general counsel and that boards in the EU are more likely to have direct oversight of privacy issues than those in the US.
The Report noted that, among organizations that must comply with the GDPR, the number of reported data “breaches”, defined as any unauthorized disclosure of personal data, had doubled from 16% in 2018 to 38% in 2019. In fact, 22% of respondents indicated they had reported ten or more breaches in the last year. The Report attributes this increase to the broad definition of data breach under the GDPR and to possible over-compliance by organizations, rather than to other causes, such as an increase in cyberattacks. Interestingly, only 2% of organizations reported being fined for a privacy breach, causing the authors of the Report to speculate that the whopping fines levied on organizations such as British Airways ($230 million) and Marriott ($125 million) may be outliers and that authorities may be choosing in most cases to work with organizations to address problems rather than resorting to fines and enforcement actions. Fewer than half of survey respondents, both within and outside of the EU, believed they were “fully” or “very” compliant with the GDPR, with one-tenth in the EU reporting that they are only “somewhat” compliant with the GDPR. The Report suggests that these statistics indicate the difficulty of complying with the GDPR, not that organizations do not take their privacy obligations seriously. 88% of respondents in the EU felt that their top priority was to comply with the GDPR or other law, whereas only 57% of US privacy leaders selected that as their top priority. Interestingly, 16% of US privacy leaders felt that safeguarding data from threats was one of their top three priorities whereas only 3% of EU leaders included that in their top three priorities.
Generally, respondents found that fulfilling their core GDPR privacy obligations, such as data portability requests, access requests and the right to be forgotten, had become less difficult over the past year. More than half of the organizations surveyed had received access and right to erasure requests over the last year. Organizations found locating unstructured personal data and monitoring data protection/privacy practices of third parties to be the most difficult types of data subject requests to handle. One area of growing uncertainty noted by the Report for organizations subject to the GDPR is cross border data transfers. The GDPR permits personal data to be transferred only to countries with adequate protection laws (such as Canada). To transfer to other countries, such as the US, organizations subject to the GDPR must put in place adequate safeguards to ensure GDPR compliance. Most organizations rely on standard contractual clauses or the EU-US Privacy Shield frameworks, both of which are currently before the Court of Justice of the European Union and could be invalidated. If that were to happen (as was the case with the former “Safe Harbor” framework) there will be a great deal of uncertainty about how to comply with the GDPR’s data transfer requirements. This problem will be magnified by Brexit, when the UK leaves the EU. It may become challenging to ensure continued data flows from the EU to the US, the UK and other countries. The Report found that most companies subject to the GDPR are “controllers” under the GDPR, with about 2/3 also being “processors”. It also states that 90% of organizations subject to the GDPR use other organizations to process data, with contracts being the most widely used method of ensuring third party processor compliance.
With regard to privacy program structures, the Report indicates that there are almost twice as many staff who devote part of their time to privacy matters as there are full-time privacy staff. Three out of ten privacy professionals also indicated that they expect to see full-time privacy staff increase in the coming year.
The Report provides a helpful look at the state of privacy matters on a global scale, and in particular highlights how the GDPR has affected organizations both within and outside of the EU. The findings will be of interest to Canadian charities and not-for-profits, which may be able to draw certain ideas for best practices in their privacy governance from the Report.
