PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program
Benchmarking Your GDPR Compliance: Will You Make the Grade? July 26, 2017
© 2017 TrustArc Inc Proprietary and Confidential Information
Today’s Speakers Jim Koenig Partner & Co-Chair, Privacy & Cybersecurity Practice, Fenwick & West LLP
Dr Kai Westerwelle Partner Taylor Wessing (US) Inc.
Dave Deasy SVP Marketing, TrustArc
2
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Benchmarking Your GDPR Compliance: Will You Make the Grade? 2017 TrustArc Privacy Insight Series With less than one year to go before the GDPR is enforced across Europe, how has the industry responded to the GDPR requirements and how many companies will make the grade by May 2018? Recent TrustArc research conducted by Dimensional Research found that over 61% of companies have not even started their GDPR Compliance programs. Of those that had started - the three challenges cited most by the privacy professionals surveyed were difficulty to maintain and update privacy programs (57%), lack of appropriate tools and technology (56%), and lack of internal resources (54%). How does your program stack up?
3
Privacy Insight Series - trustarc.com/insightseries
Š 2017 TrustArc Inc
Today’s Agenda • • • • •
4
How is privacy changing / what are the drivers How are companies approaching the GDPR Where they are prioritizing their effort How much do they expect to spend Tips to reach GDPR compliance
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Privacy and the EU GDPR: 2017 Survey of Privacy Professionals Research Overview • Conducted May 10 - 17, 2017 by Dimensional Research • Respondents US based privacy professionals from companies who are subject to GDPR • Minimum company size = 500 employees • Respondent company headquarters: 92% US or Canada; 5% EU, 3% other • Respondents work in legal, IT, compliance and privacy functions • For 36% surveyed, privacy was their entire job • For 64% surveyed, privacy was an important part of their job (over 25%) • Note – due to rounding, some totals will not sum to exactly 100%
5
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Respondent Demographics Job Level
Industry Financial and Insurance Services
Individual contributor
22%
Technology
14%
Executive
17%
Manufacturing
39%
11%
Business Services
47%
8%
Education
Team manager
6%
Retail
5%
Energy and Utilities
5%
Telecommunications Healthcare and Pharmaceutical
3%
Consumer Products
3%
Company Size (# employees) 13%
29%
10%
Transportation
3%
Internet and E-commerce
3%
Other
2%
Media
2%
Aerospace and Defense
2%
14% 34%
500 - 1,000
1,000 - 5,000
5,000 - 10,000
10,000 - 50,000
4%
Hospitality and Entertainment
2%
Food and Beverage
2%
More than 50,000
Non-Profit
1% 0%
5%
10%
15%
20%
25%
TrustArc / Dimensional Research 2017 6
Privacy Insight Series - trustarc.com/insightseries
Š 2017 TrustArc Inc
Privacy Importance Growing 96% say importance of managing privacy is increasing It is becoming significantly more important
96%
It is becoming slightly more important
68%
28%
It is not changing
It is becoming less important 0%
20%
40%
60%
80%
100%
Question: How is the importance of data privacy management changing at your company?
• Overall, 68% state managing privacy is becoming significantly more important • Amongst companies with 5,000+ employees, 79% state privacy becoming significantly more important vs. 67% for medium and 54% small companies TrustArc / Dimensional Research 2017 7
Privacy Insight Series - trustarc.com/insightseries
Š 2017 TrustArc Inc
Privacy Getting Harder 98% say complexity of managing privacy is increasing It is becoming significantly more complex
98%
It is becoming slightly more complex
56%
42%
2% It is not changing
It is becoming less complex 0%
20%
40%
60%
80%
100%
Question: “How is the complexity of data privacy management changing at your company?”
• 56% of respondents state privacy is becoming significantly more complex TrustArc / Dimensional Research 2017 8
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Discussion Questions • What is driving the importance? • What is driving the complexity?
9
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Multiple Functions Responsible for Managing Privacy Top functions include legal, IT, compliance, privacy, and data governances Legal
78%
IT including IT security and risk management
62%
Compliance
53%
Privacy
40%
Data governance or data management
37%
Executive team
23%
HR
21%
Business analytics
20%
Physical security (i.e. security at facilities)
17%
Engineering or product development
17%
Business unit
12%
Marketing
11% 0%
20%
40%
60%
80%
100%
Question: Which of the following job functions are involved in managing data privacy compliance including GDPR at your company? TrustArc / Dimensional Research 2017 10
Privacy Insight Series - trustarc.com/insightseries
Š 2017 TrustArc Inc
Primary Privacy Ownership Limited to a Few Groups Legal dominates ownership in smaller companies; Compliance and Privacy ownership increases in larger companies Over 5,000 Employees
20%
1,000 - 5,000 Employees
32%
36%
500 - 1,000 Employees
28%
24%
44%
0%
20%
Legal
IT
11%
14%
32%
40%
60%
Compliance
16%
7% 7%
80%
100%
Privacy
Which of these job functions has PRIMARY responsibility for data privacy?
Note – Percentages do not total to 100% - table excludes functions reporting under 5% ownership (e.g., data governance, engineering, marketing, physical security, executive team) TrustArc / Dimensional Research 2017 11
Privacy Insight Series - trustarc.com/insightseries
Š 2017 TrustArc Inc
Discussion Questions • How is privacy program ownership changing over time? • What are you seeing in the market?
12
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Privacy Spending Increasing 97% increasing their investment in managing privacy It is becoming significantly larger
97%
It is becoming slightly larger
47%
50% It is not changing
It is becoming smaller 0%
20%
40%
60%
80%
100%
Question: “Consider the entire investment your company is making to manage data privacy compliance at your company – including internal and external resources, training, consultants, tools, and all other costs…How is this investment changing?”
• 47% of respondents state privacy spending is becoming significantly larger TrustArc / Dimensional Research 2017 13
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Privacy Expertise and Guidance Needs Growing 97% say need for expertise or guidance for privacy increasing 97%
It is becoming significantly greater
50%
It is becoming slightly greater
47%
It is not changing It is becoming smaller
0%
20%
40%
60%
80%
100%
Question: How is the need for expertise or guidance to manage data privacy changing at your company?
• 50% state that the need for expertise or guidance to manage data privacy is growing significantly greater TrustArc / Dimensional Research 2017 14
Privacy Insight Series - trustarc.com/insightseries
Š 2017 TrustArc Inc
Privacy Technology Needs Growing 95% say need for technology to help manage privacy growing It is becoming significantly greater
95%
It is becoming slightly greater
51%
44% It is not changing
It is becoming smaller 0%
20%
40%
60%
80%
100%
Question: How is the need for technology and tools used to manage data privacy changing at your company?
• 51% state that the need for technology to manage data privacy is growing significantly greater TrustArc / Dimensional Research 2017 15
Privacy Insight Series - trustarc.com/insightseries
Š 2017 TrustArc Inc
Poll Question How is the need for technology and tools used to manage data privacy changing at your company? A. It is becoming significantly greater
B. It is becoming slightly greater
4%
C. It is not changing D. It is becoming smaller
TrustArc / Dimensional Research 2017 16
Privacy Insight Series - trustarc.com/insightseries
Š 2017 TrustArc Inc
Discussion Questions • What are you seeing in the market? • Any interesting trends regarding investment levels or areas of investment?
17
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
The EU GDPR – May 25, 2018 Deadline Significant Compliance Requirements
18
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Wide Range of GDPR Readiness 61% have not begun implementation yet We haven’t started
61% We are working on our preliminary plan
4%
39%
18%
11% 4%
23%
We have a plan in place but haven’t started implementation
We have started our implementation Our implementation is well underway We are done and are fully GDPR compliant
0%
20%
40%
60%
80%
100%
Question: “Which of the following best describes the state of your GDPR compliance?”
• 43% do not have a full plan yet TrustArc / Dimensional Research 2017 19
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
GDPR Preparedness by Company Size Over 5,000 Employees 3%
1,000 - 5,000 Employees
500 - 1,000 Employees
1%
39%
40%
10%
0%
23%
21%
16%
39%
20%
30%
15%
40%
11% 4%
60%
10% 3%
17%
12%
80%
Have not started
Working or onprelim preliminary Working plan plan
Have plan, not started implementation
Started implementation
Implementation well underway
Done and fully compliant
7%
100%
Question: “Which of the following best describes the state of your GDPR compliance?” TrustArc / Dimensional Research 2017 20
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Poll Question Which of the following best describes the state of your GDPR compliance? A. We haven’t started
B. We are working on our preliminary plan
4%
C. We have a plan in place, but haven’t started implementation yet D. We have started our implementation E. Our implementation is well underway
TrustArc / Dimensional Research 2017 21
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Discussion Questions • Why have so few companies started their GDPR implementation? • Does this surprise you? • What are you seeing in the market? • Will they make it in time?
22
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
GDPR Investments in Wide Range of Areas 99% will invest in additional capabilities 55% will invest in technology and tools Consultants
66%
Internal hiring
56%
Technology and tools
55%
External legal expertise
53%
Other
1%
We are not making any GDPR investments
2% 0%
10%
20%
30%
40%
50%
60%
70%
Question: “What areas will you be investing in to prepare for GDPR?”
• Investments in technology and tools increases to 67% for privacy “Other” include training existing staff professionals in ITof department vs 47% in Legal department TrustArc / Dimensional Research 2017 23
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
GDPR Spending 83% expect GDPR spending to be six-figures 2017 - 2018 GDPR Spending by All Respondents $0 – we don’t expect to spend anything on GDPR in 2017 or 2018
83%
Less than $100,000
17%
42%
23%
Between $100,000 and $500,000
17%
Between $500,000 and $1,000,000 More than $1,000,000 0%
20%
40%
60%
80%
100%
Question: “Approximately what is your company’s overall expectation for GDPR-related privacy compliance expenses in 2017 and 2018? Include all internal and external personnel, training, consulting, legal advice, technology, tools, and other costs in your estimate.”
• 40% of responding companies plan to spend at least $500K TrustArc / Dimensional Research 2017 24
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
GDPR Spending by Company Size 1 in 4 large companies expect to spend over $1M Over 5,000 Employees
17%
1,000 - 5,000 Employees
36%
15%
40%
20%
500 - 1,000 Employees 0% Less than $100K
23%
27%
53% 20%
40%
Between $100K - $500K
23%
19%
19% 60%
80%
Between $500K - $1M
9% 100%
More than $1M
Question: “Approximately what is your company’s overall expectation for GDPR-related privacy compliance expenses in 2017 and 2018? Include all internal and external personnel, training, consulting, legal advice, technology, tools, and other costs in your estimate.”
TrustArc / Dimensional Research 2017 25
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Poll Question What is your overall GDPR-related privacy compliance expenses in 2017-18? (all internal/external personnel, cons, tech, etc)
4%
A. Less than $100,000 B. Between $100,000 and $500,000 C. Between $500,000 and $1,000,000 D. Between $1,000,000 and $5,000,000 E. More than $5,000,000
TrustArc / Dimensional Research 2017 26
Privacy Insight Series - trustarc.com/insightseries
Š 2017 TrustArc Inc
Discussion Questions • Does this seem like too much or too little investment? • How does this level of spending compare to historical levels for other compliance initiatives?
27
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Help is Needed Across Wide Range of Areas GDPR planning topped the List Developing a GDPR privacy plan
39%
Addressing international data transfer (Privacy Shield, APEC CBPR, BCRs, etc.)
46%
36%
Meeting regulatory reporting requirements
15%
45%
30%
19%
49%
21%
Conducting privacy risk assessments, PIAs, DPIAs
26%
Creating data inventory and maps
25%
Data de-identification / anonymization
25%
Implementing privacy by design / privacy engineering
25%
Managing privacy incidents and breach notification
23%
Managing privacy complaints and individual rights
23%
51%
26%
Creating a vendor risk management program
22%
53%
25%
Obtaining and managing user consent
22%
0%
57%
17%
53%
21%
52%
23%
57%
18%
53%
23%
41%
20%
Need significant help
38%
40%
60%
Need some help
80%
100%
Don't need help
Question: “Below is a list of tasks related to data privacy compliance. For each task please indicate the amount of additional help you will need to accomplish these tasks in 2017.” TrustArc / Dimensional Research 2017 28
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Discussion Questions • Are these privacy priorities consistent with what you are seeing in the market? • Any surprises? • What other initiatives are starting to emerge?
29
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Closing Remarks • What advice do you have for companies to ensure they reach GDPR compliance in time?
30
Privacy Insight Series - trustarc.com/insightseries
Š 2017 TrustArc Inc
Additional Resources
www.trustarc.com/resources 31
Privacy Insight Series - trustarc.com/insightseries
Š 2017 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program
Questions?
32
© 2017 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program
Contacts Jim Koenig Dr Kai Westerwelle Dave Deasy
33
jkoenig@fenwick.com k.westerwelle@taylorwessing.com dave@trustarc.com
© 2017 TrustArc Inc Proprietary and Confidential Information
Privacy Insight Series – 2017 Calendar
www.trustarc.com/insightseries
34
Privacy Insight Series - trustarc.com/insightseries
Š 2017 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program
Thank You! Register for the next webinar in our Series - August 16th “Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your Data Inventory”
For full Summer/Fall schedule and past webinar recordings Visit http://www.trustarc.com/insightseries 35
© 2017 TrustArc Inc Proprietary and Confidential Information