UK businesses are falling short in meeting internal auditing and incident response obligations under GDPR, according to a new report from the Global Privacy Enforcement Network.
The Global Privacy Enforcement Network (GPEN) is an informal network comprising over 60 privacy enforcement authorities in 39 jurisdictions around the world, including the UK’s Information Commissioner’s Office (ICO)
In its annual Sweep report, the GPEN took responses from more than 350 organisations across 18 countries globally about how they implement the key GDPR principle of accountability into internal privacy policies.
The findings showed a mixture of both compliant practices and areas for improvement in respect of UK standards for accountability as prescribed in the General Data Protection Regulation (GDPR).
A large percentage of responding organisations had put in place an individual or team responsible for ensuring their organisation’s compliance with relevant data protection rules and regulations, and the vast majority actively maintain and make publically available privacy policies detailing how they handle personal data.
Almost half have documented processes in place, such as privacy impact assessments, to assess the risks associated with new products, services, technologies and business models.
Over half of the organisations surveyed indicated that they have documented incident response procedures, and that they maintain up-to-date records of all data security incidents and breaches.
While responses suggested a good understanding of the basic concept of accountability, a number of failings and risks were also apparent.
More than 20% of those polled had no measures in place to conduct self-assessments or internal audits. Around 15% were found not to have any processes in place to respond appropriately in the event of a data security incident – a key requirement of the GDPR is to notify the ICO within 72-hours of discovering an incident.
Some organisations also showed little to no understanding of the type of data they hold and of what constitutes ‘personal information’ and also fail to maintain an adequate inventory.
In addition, while staff data protection training was given by most organisations to staff, many failed to provide refresher training to existing staff.
Timely reminder for data controllers
The (ICO) is calling on UK data controllers and processors to take action to become more accountable in the wake of the report.
The UK regulator emphasised the ongoing need for organisations to review and monitor performance of data protection measures and policies and to implement internal mechanisms such as data protection impact assessments (DPIAs), auditing and certification, consistent staff training to comply with requirements under the GDPR.