You are on page 1of 35

PRIVACY INSIGHT SERIES

Summer / Fall 2017 Webinar Program

Benchmarking Your GDPR


Compliance: Will You Make the
Grade?
July 26, 2017

2017 TrustArc Inc Proprietary and Confidential Information


Todays Speakers

Jim Koenig
Partner & Co-Chair, Privacy & Cybersecurity
Practice, Fenwick & West LLP

Dr Kai Westerwelle
Partner
Taylor Wessing (US) Inc.

Dave Deasy
SVP Marketing, TrustArc

2 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Benchmarking Your GDPR Compliance:
Will You Make the Grade?
2017 TrustArc Privacy Insight Series
With less than one year to go before the GDPR is enforced across Europe,
how has the industry responded to the GDPR requirements and how many
companies will make the grade by May 2018?

Recent TrustArc research conducted by Dimensional Research found that over


61% of companies have not even started their GDPR Compliance programs.

Of those that had started - the three challenges cited most by the privacy
professionals surveyed were difficulty to maintain and update privacy programs
(57%), lack of appropriate tools and technology (56%), and lack of internal
resources (54%).

How does your program stack up?

3 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Todays Agenda
How is privacy changing / what are the drivers
How are companies approaching the GDPR
Where they are prioritizing their effort
How much do they expect to spend
Tips to reach GDPR compliance

4 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Privacy and the EU GDPR:
2017 Survey of Privacy Professionals

Research Overview
Conducted May 10 - 17, 2017 by Dimensional Research
Respondents US based privacy professionals from companies who are subject
to GDPR
Minimum company size = 500 employees
Respondent company headquarters: 92% US or Canada; 5% EU, 3% other
Respondents work in legal, IT, compliance and privacy functions
For 36% surveyed, privacy was their entire job
For 64% surveyed, privacy was an important part of their job (over 25%)
Note due to rounding, some totals will not sum to exactly 100%

5 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Respondent Demographics
Job Level Industry
Financial and Insurance Services 22%
Individual
contributor 14% Technology 17%
Executive Manufacturing 11%
39%
Business Services 8%
47%
Education 6%
Retail 5%
Team Energy and Utilities 5%
manager
Telecommunications 4%
Healthcare and Pharmaceutical 3%
Company Size (# employees) Consumer Products 3%
Transportation 3%
13%
29% Internet and E-commerce 3%
10%
Other 2%
14% Media 2%
34% Aerospace and Defense 2%
Hospitality and Entertainment 2%
Food and Beverage 2%
500 - 1,000 1,000 - 5,000
Non-Profit 1%
5,000 - 10,000 10,000 - 50,000
0% 5% 10% 15% 20% 25%
More than 50,000

TrustArc / Dimensional Research 2017

6 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Privacy Importance Growing
96% say importance of managing privacy is increasing

It is becoming significantly
96% more important

It is becoming slightly more


important
68% 28%
It is not changing

It is becoming less important

0% 20% 40% 60% 80% 100%

Question: How is the importance of data privacy management changing at your company?

Overall, 68% state managing privacy is becoming significantly more important


Amongst companies with 5,000+ employees, 79% state privacy becoming
significantly more important vs. 67% for medium and 54% small companies
TrustArc / Dimensional Research 2017

7 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Privacy Getting Harder
98% say complexity of managing privacy is increasing

It is becoming significantly more


complex
98%
It is becoming slightly more
complex
56% 42% 2%
It is not changing

It is becoming less complex


0% 20% 40% 60% 80% 100%

Question: How is the complexity of data privacy management changing at your company?

56% of respondents state privacy is becoming significantly more complex


TrustArc / Dimensional Research 2017

8 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Discussion Questions

What is driving the importance?


What is driving the complexity?

9 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Multiple Functions Responsible for Managing Privacy
Top functions include legal, IT, compliance, privacy, and data
governances
Legal 78%
IT including IT security and risk management 62%
Compliance 53%
Privacy 40%
Data governance or data management 37%
Executive team 23%
HR 21%
Business analytics 20%
Physical security (i.e. security at facilities) 17%
Engineering or product development 17%
Business unit 12%
Marketing 11%
0% 20% 40% 60% 80% 100%

Question: Which of the following job functions are involved in managing data privacy compliance including GDPR at your
company?

TrustArc / Dimensional Research 2017

10 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Primary Privacy Ownership Limited to a Few Groups
Legal dominates ownership in smaller companies; Compliance
and Privacy ownership increases in larger companies

Over 5,000 Employees 20% 32% 28% 11%

1,000 - 5,000 Employees 36% 24% 14% 16%

500 - 1,000 Employees 44% 32% 7% 7%

0% 20% 40% 60% 80% 100%


Legal IT Compliance Privacy
Which of these job functions has PRIMARY responsibility for data privacy?

Note Percentages do not total to 100% - table excludes functions reporting under 5% ownership (e.g.,
data governance, engineering, marketing, physical security, executive team)
TrustArc / Dimensional Research 2017

11 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Discussion Questions

How is privacy program ownership changing


over time?
What are you seeing in the market?

12 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Privacy Spending Increasing
97% increasing their investment in managing privacy

It is becoming significantly
97% larger

It is becoming slightly larger


47% 50%
It is not changing

It is becoming smaller

0% 20% 40% 60% 80% 100%

Question: Consider the entire investment your company is making to manage data privacy compliance at your
company including internal and external resources, training, consultants, tools, and all other costsHow is this
investment changing?

47% of respondents state privacy spending is becoming significantly larger


TrustArc / Dimensional Research 2017

13 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Privacy Expertise and Guidance Needs Growing
97% say need for expertise or guidance for privacy increasing

97%
It is becoming significantly
greater
It is becoming slightly
50% 47% greater
It is not changing

It is becoming smaller

0% 20% 40% 60% 80% 100%

Question: How is the need for expertise or guidance to manage data privacy changing at your company?

50% state that the need for expertise or guidance to manage data
privacy is growing significantly greater
TrustArc / Dimensional Research 2017

14 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Privacy Technology Needs Growing
95% say need for technology to help manage privacy growing

It is becoming significantly
95% greater

It is becoming slightly greater

51% 44%
It is not changing

It is becoming smaller

0% 20% 40% 60% 80% 100%

Question: How is the need for technology and tools used to manage data privacy changing at your company?

51% state that the need for technology to manage data privacy is growing
significantly greater

TrustArc / Dimensional Research 2017

15 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Poll Question
How is the need for technology and tools used to
manage data privacy changing at your company?

A. It is becoming significantly greater

B. It is becoming slightly greater


4%
C. It is not changing

D. It is becoming smaller

TrustArc / Dimensional Research 2017

16 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Discussion Questions

What are you seeing in the market?


Any interesting trends regarding investment
levels or areas of investment?

17 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


The EU GDPR May 25, 2018 Deadline
Significant Compliance Requirements

18 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Wide Range of GDPR Readiness
61% have not begun implementation yet
We havent started
61%
We are working on our
preliminary plan
We have a plan in place but
4% havent started implementation
39% 18% 23% 11% 4%
We have started our
implementation
Our implementation is well
underway
We are done and are fully GDPR
compliant
0% 20% 40% 60% 80% 100%

Question: Which of the following best describes the state of your GDPR compliance?

43% do not have a full plan yet

TrustArc / Dimensional Research 2017

19 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


GDPR Preparedness by Company Size

Over 5,000 Employees 3% 39% 23% 21% 11% 4%

1,000 - 5,000 Employees 1% 40% 16% 30% 10% 3%

500 - 1,000 Employees 10% 39% 15% 17% 12% 7%

0% 20% 40% 60% 80% 100%

Have not started Working or


Working onprelim
preliminary
plan plan

Have plan, not started implementation Started implementation

Implementation well underway Done and fully compliant

Question: Which of the following best describes the state of your GDPR compliance?

TrustArc / Dimensional Research 2017

20 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Poll Question
Which of the following best describes the state of your
GDPR compliance?

A. We havent started

B. We are working on our preliminary plan


4%
C. We have a plan in place, but havent started implementation yet

D. We have started our implementation

E. Our implementation is well underway

TrustArc / Dimensional Research 2017

21 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Discussion Questions

Why have so few companies started their GDPR


implementation?
Does this surprise you?
What are you seeing in the market?
Will they make it in time?

22 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


GDPR Investments in Wide Range of Areas
99% will invest in additional capabilities
55% will invest in technology and tools

Consultants 66%

Internal hiring 56%

Technology and tools 55%

External legal expertise 53%

Other 1%

We are not making any GDPR investments 2%

0% 10% 20% 30% 40% 50% 60% 70%

Question: What areas will you be investing in to prepare for GDPR?

Investments in technology and tools increases to 67% for privacy


Other include training
professionals in ITof existing staff
department vs 47% in Legal department
TrustArc / Dimensional Research 2017

23 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


GDPR Spending
83% expect GDPR spending to be six-figures
2017 - 2018 GDPR Spending by All Respondents

$0 we dont expect to spend


83% anything on GDPR in 2017 or 2018

Less than $100,000

17% 42% 23% 17% Between $100,000 and $500,000

Between $500,000 and $1,000,000

More than $1,000,000


0% 20% 40% 60% 80% 100%

Question: Approximately what is your companys overall expectation for GDPR-related privacy compliance expenses in 2017
and 2018? Include all internal and external personnel, training, consulting, legal advice, technology, tools, and other costs in
your estimate.

40% of responding companies plan to spend at least $500K

TrustArc / Dimensional Research 2017

24 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


GDPR Spending by Company Size
1 in 4 large companies expect to spend over $1M

Over 5,000 Employees 17% 36% 23% 23%

1,000 - 5,000
15% 40% 27% 19%
Employees

500 - 1,000 Employees 20% 53% 19% 9%

0% 20% 40% 60% 80% 100%

Less than $100K Between $100K - $500K Between $500K - $1M More than $1M

Question: Approximately what is your companys overall expectation for GDPR-related privacy compliance expenses in 2017
and 2018? Include all internal and external personnel, training, consulting, legal advice, technology, tools, and other costs in
your estimate.

TrustArc / Dimensional Research 2017

25 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Poll Question
What is your overall GDPR-related privacy compliance
expenses in 2017-18? (all internal/external personnel, cons,
tech, etc)

4%
A. Less than $100,000

B. Between $100,000 and $500,000

C. Between $500,000 and $1,000,000

D. Between $1,000,000 and $5,000,000

E. More than $5,000,000

TrustArc / Dimensional Research 2017

26 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Discussion Questions

Does this seem like too much or too little


investment?
How does this level of spending compare to
historical levels for other compliance initiatives?

27 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Help is Needed Across Wide Range of Areas
GDPR planning topped the List
Developing a GDPR privacy plan 39% 46% 15%

Addressing international data transfer (Privacy Shield, APEC CBPR, BCRs, etc.) 36% 45% 19%

Meeting regulatory reporting requirements 30% 49% 21%

Conducting privacy risk assessments, PIAs, DPIAs 26% 57% 17%

Creating data inventory and maps 25% 53% 21%

Data de-identification / anonymization 25% 52% 23%

Implementing privacy by design / privacy engineering 25% 57% 18%

Managing privacy incidents and breach notification 23% 53% 23%

Managing privacy complaints and individual rights 23% 51% 26%

Creating a vendor risk management program 22% 53% 25%

Obtaining and managing user consent 22% 41% 38%

0% 20% 40% 60% 80% 100%

Need significant help Need some help Don't need help

Question: Below is a list of tasks related to data privacy compliance. For each task please indicate the amount
of additional help you will need to accomplish these tasks in 2017.

TrustArc / Dimensional Research 2017

28 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Discussion Questions

Are these privacy priorities consistent with what


you are seeing in the market?
Any surprises?
What other initiatives are starting to emerge?

29 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Closing Remarks

What advice do you have for companies to


ensure they reach GDPR compliance in time?

30 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Additional Resources

www.trustarc.com/resources

31 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


PRIVACY INSIGHT SERIES
Summer / Fall 2017 Webinar Program

Questions?

32 2017 TrustArc Inc Proprietary and Confidential Information


PRIVACY INSIGHT SERIES
Summer / Fall 2017 Webinar Program

Contacts

Jim Koenig jkoenig@fenwick.com


Dr Kai Westerwelle k.westerwelle@taylorwessing.com
Dave Deasy dave@trustarc.com

33 2017 TrustArc Inc Proprietary and Confidential Information


Privacy Insight Series 2017 Calendar

www.trustarc.com/insightseries

34 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


PRIVACY INSIGHT SERIES
Summer / Fall 2017 Webinar Program

Thank You!
Register for the next webinar in our Series - August 16th

Mastering Article 30 Compliance: Conducting, Maintaining &


Reporting on your Data Inventory

For full Summer/Fall schedule and past webinar recordings

Visit http://www.trustarc.com/insightseries
35 2017 TrustArc Inc Proprietary and Confidential Information

You might also like