Global Privacy Enforcement Network (GPEN) 2018 ‘Sweep’

05th March 2019

In 2018, the Global Privacy Enforcement Network’s (GPEN) annual intelligence gathering operation, called a ‘Sweep’, examined organisations’ self-reporting of their implementation of the core concepts of accountability. In short, the study looked at how they considered they have taken responsibility for complying with data protection laws.

Whilst there were examples of good practice reported, it was found that a number of organisations reported that they had no processes in place to deal with the complaints and queries raised by data subjects, and were not equipped to handle data security incidents appropriately.

Participating GPEN members made contact with 356 organisations in 18 countries during the Sweep and came to the following conclusions:

  • Nearly three quarters of organisations across all sectors and jurisdictions had appointed an individual or team who would assume responsibility for ensuring that their organisation complied with relevant data protection rules and regulations.
  • Organisations were generally found to be quite good at giving data protection training to staff, but often failed to provide refresher training to existing staff.
  • When it comes to monitoring internal performance in relation to data protection standards, many organisations were found to fall short, with around a quarter who responded having no programmes in place to conduct self-assessments and/or internal audits.
  • The organisations that indicated that they have monitoring programmes in place generally gave examples of good practice, noting that they conduct annual audits or reviews and/or regular self-assessments.
  • Over half of the organisations surveyed indicated that they have documented incident response procedures, and that they maintain up to date records of all data security incidents and breaches. However, a number of organisations indicated that they have no processes in place to respond appropriately in the event of a data security incident.

In Ireland, the Sweep was conducted by contacting 30 randomly-selected organisations across a range of sectors (including pharmaceutical, multinational, Government / Local Government, transport, charity, education and finance) and asking them to complete a table of questions relating to ‘Privacy Accountability’. The DPC noted the following trends from the Sweep carried out in this jurisdiction:

  • 86% of organisations have a contact for their DPO listed on their website. We noted that all have privacy policies which are easily accessible from the homepage.
  • Most organisations reported that they have policies and procedures in place to respond to requests and complaints from individuals.
  • 75% of organisations reported that they have adequate data breach policies in place.
  • All organisations reported that they provide some form of data protection training for staff. However, only 38% of those organisations provided evidence of training programmes for all staff, including new entrants and refresher training.
  • In most cases, organisations reported that they undertake some data protection monitoring/ self-assessment, but not to a sufficiently high level. 3 of the 29 respondents scored ‘poor’ in this section, while 13 reached ‘satisfactory’.
  • One third of organisations failed to provide evidence of documented processes to assess risks associated with new products and technology. However, most organisations appear to be aware of the need for this and many reported that they are in the process of documenting appropriate procedures.
  • 30% of organisations failed to demonstrate that they had an adequate inventory of personal data while almost half failed to maintain a record of data flows.

The DPC is currently assessing the results of the Sweep and what follow-up actions are necessary based on the responses.

Editors’ notes

  1. The Global Privacy Enforcement Network (GPEN) was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development (OECD). Its aim is to foster cross-border co-operation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context. The informal network is comprised of over 60 privacy enforcement authorities in 39 jurisdictions around the world.
  2. The GPEN Sweep is currently co-Chaired by the Information Commissioner’s Office, UK and the Office of the Privacy Commissioner, New Zealand.
  3. 2018 International Report
  4. Irish Sweep Results