The 2019 Privacy Governance Report released by EY and the International Association of Privacy Professionals (IAPP) in September contains a range of survey questions and responses that are instructive for organisations around the world. In our last instalment on this report, we look at the statistics on data breaches and enforcement and try to answer the question of why, if data breaches are up, is the prospect of enforcement down?
The survey puts a number of questions to its primarily EU and US-based respondents, including:
- what are the privacy topics most commonly reported to the Board?
- have you reported a breach to the authorities?
- have you been subject to any fines for breaches under the General Data Protection Regulation (GDPR)?
The results indicate that while Boards are increasingly concerned about data breaches, and organisations are increasingly inclined to report them, the number of fines remains curiously low.
The report notes that breaches dominate privacy reporting to the Board, closely followed by the topic of GDPR compliance, at 68 per cent and 64 per cent respectively. The rates drop to 58 per cent and 47 per cent when it comes to reports on practical implementation, such as privacy program KPIs and initiatives (e.g. training).
Data ethics comes in last at 15 per cent, although we expect this figure to rise in coming years as organisations grapple with the ethical questions and responsibilities that come with being the custodians of personal information, and as increased consumer awareness of privacy rights (which we looked at in our previous article) starts to filter through at the shareholder level, with consequent activism.
The increased visibility of privacy at the Board level can, in part, be ascribed to the increase breach reporting and compliance obligations. In one year, the number of organisations who reported a data breach to the regulator doubled, from 16 per cent to 38 per cent of respondents. In fact, 22 per cent of respondents indicated they'd report "10 or more" breaches.
Unsurprisingly, the EU had substantially higher reporting rates than the US (52 per cent as opposed to 22 per cent).
Despite the increase in breach reporting, only 2 per cent of respondents reported being fined for a breach.
So why this anomaly? At least in part, the low rates of fines can be chalked up to a time-lag. The GDPR remains in its infancy with both organisations and regulators still finding their feet. While regulators have had a number of large and successful enforcement actions against high profile organisations, they continue to remind us that effective investigations take time, diligence and careful consideration.
It can reasonably be assumed that a number of the breaches which have been reported are still being investigated and that the outcomes, whether in the form of fines or other remedial enforcement actions, are still pending. Noting that only 9 per cent of respondents consider themselves to be "fully compliant" with GDPR and the majority are still employing manual strategies to manage their data mapping and responses, we can expect that regulators will continue to move towards increased parity between breaches and fines.
To date, Australian organisations appear to have largely escaped the focus of EU-based regulators, however that can be expected to change as they broaden their focus to consider the extraterritorial application of the GDPR. Local organisations with links to the EU should take steps now to ensure their processes are up to scratch.
Various websites catalogue the enforcement actions of regulators to date and it is clear that regulators are not just focussing on the top end of town but are taking action where businesses, even small ones, show disregard for the rights of individuals.
This concludes our four-part series on the latest trends and insights from the IAPP EY 2019 Privacy Governance Report. We looked at why privacy budgets need to increase to respond to the upsurge in regulation ( part 1), how changing roles of privacy in organisations affect businesses ( part 2), what increased consumer awareness of privacy rights imply ( part 3) and answer why prospect of enforcement is down if data breaches are up.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.