Organizations are still failing to put in place the appropriate internal auditing and incident response measures necessary to comply with General Data Protection Regulation (GDPR) rules, according to a new report from the Information Commissioner’s Office (ICO).
The UK’s data protection watchdog teamed up with its New Zealand equivalent to conduct the Global Privacy Enforcement Network's (GPEN) annual GPEN Sweep report.
It polled over 660 organizations globally, to see how they had implemented the key GDPR principle of accountability into internal privacy policies and programs. Some 356 responded across 18 countries.
While there were examples of good practice — for example a large percentage of responding organizations had put in place an individual or team responsible for data protection — there were some concerning findings.
For example, over a fifth of those polled had no programs in place to conduct self-assessments and/or internal audits.
Further, around 15% were found not to have any processes in place to respond appropriately in the event of a data security incident. This is a key requirement of the GDPR, which demands that breached organizations notify the regulator within 72-hours of discovering an incident.
In addition, while staff data protection training was given by most organizations to staff, many failed to provide refresher training to existing staff.
“The findings suggest that whilst organizations contacted by the ICO and our international partners have a good understanding of the basic concept of accountability, in practice there is significant room for improvement,” said ICO head of intelligence, Adam Stevens.
“It is important that organizations have appropriate technical and organisational measures in place. This includes having clear data protection policies, taking a ‘data protection by design and default’ approach and continuing to review and monitor performance and adherence to data protection rules and regulations.”
In the UK, 67% of respondents said they conduct regular self-assessments and maintain inventories of personal data, while 83% claimed to have an internal data privacy policy and ensure that staff receive data protection training.