Home Legal News Data Protection Survey Shows Companies Failing in GDPR Accountability

Data Protection Survey Shows Companies Failing in GDPR Accountability

UK businesses are falling short in meeting internal auditing and incident response obligations under GDPR, according to a new report from the Global Privacy Enforcement Network.

The Global Privacy Enforcement Network (GPEN) is an informal network comprising over 60 privacy enforcement authorities in 39 jurisdictions around the world, including the UK’s Information Commissioner’s Office (ICO)

In its annual Sweep report, the GPEN took responses from more than 350 organisations across 18 countries globally about how they implement the key GDPR principle of accountability into internal privacy policies.

The findings showed a mixture of both compliant practices and areas for improvement in respect of UK standards for accountability as prescribed in the General Data Protection Regulation (GDPR).

A large percentage of responding organisations had put in place an individual or team responsible for ensuring their organisation’s compliance with relevant data protection rules and regulations, and the vast majority actively maintain and make publically available privacy policies detailing how they handle personal data.

Almost half have documented processes in place, such as privacy impact assessments, to assess the risks associated with new products, services, technologies and business models.
Over half of the organisations surveyed indicated that they have documented incident response procedures, and that they maintain up-to-date records of all data security incidents and breaches.

In the UK, 67% of respondents said they conduct regular self-assessments and maintain inventories of personal data, while 83% claimed to have an internal data privacy policy and ensure that staff receive data protection training.

While responses suggested a good understanding of the basic concept of accountability, a number of failings and risks were also apparent.

More than 20% of those polled had no measures in place to conduct self-assessments or internal audits. Around 15% were found not to have any processes in place to respond appropriately in the event of a data security incident – a key requirement of the GDPR is to notify the ICO within 72-hours of discovering an incident.

Some organisations also showed little to no understanding of the type of data they hold and of what constitutes ‘personal information’ and also fail to maintain an adequate inventory.

In addition, while staff data protection training was given by most organisations to staff, many failed to provide refresher training to existing staff.

Timely reminder for data controllers

The (ICO) is calling on UK data controllers and processors to take action to become more accountable in the wake of the report.

The UK regulator emphasised the ongoing need for organisations to review and monitor performance of data protection measures and policies and to implement internal mechanisms such as data protection impact assessments (DPIAs), auditing and certification, consistent staff training to comply with requirements under the GDPR.

Must Read

N244 Form (Where to Find & How to Complete!)

12 minute read Last updated: 13th August 2019 The N244 form is an application notice, used to apply for a court order in the...

Claiming Under the Sale of Goods Act (What You Should Do!)

5 minute read Last updated: 12 August 2019 Claiming under the Sale of Goods Act is the route a consumer should take if they...

Faulty Goods under Warranty (Your Consumer Rights!)

Where an item under warranty develops a fault, the path to remedying the situation may be as straightforward as claiming against your warranty but...

Nemo Dat Quod Non Habet

Nemo dat quod non habet, literally means "no one gives what he doesn't have". This is a legal rule, sometimes called the nemo dat...

Sale of Goods Act (Your Consumer Rights!)

The Sale of Goods Act 1979 states that all goods purchased or sold in the UK must be as described, of satisfactory quality and...