The International Association of Privacy Professionals (IAPP) and EY Governance Report 2017 has now been published.
This third annual study of data governance in organizations, surveying modern privacy operations about the present and future of the privacy profession, reflects significant changes in privacy programs globally in response to the GDPR.
It is clear the growing importance organisations are placing on technology solutions.
“Perhaps the biggest takeaway from this year’s survey, however, is the role that technology is now playing in privacy management. The second most popular tool for GDPR preparation is investing in technology: 55 percent of respondents plan to make such investments, compared to just 29 percent last year. Among privacy team duties, the use of privacy-enhancing software rose to 31 percent of respondents from 24 percent in 2016.”
The report shows that technology held the largest budget share with 33% of total budgets being allocated, greater than outside counsel or consultants.
Risk-focused privacy management
GDPR regulators, such as the UK’s ICO, have been making it clear that GDPR signifies a move away from simple tick-box compliance to one of being able to demonstrate an understanding of data privacy risks and mitigate against them. The survey reveals the shift towards a risk-focused approach is taking place…
We can also see that Tech and EU firms are the most likely to be risk-focused in their privacy functions. Good risk management software tools that offer an end-to-end approach for identifying, evaluating, managing and evidencing, present a good technology solution for this approach.
External Audits and Certifications
Whilst there is no external certification one can achieve for GDPR, there is a requirement for data privacy policies and procedures to undergo regular audits. This together with the move towards the ‘risk-based approach’ to GDPR could be one of the reasons that ISO 27001 certification is on the increase.
In terms of external audits and certifications, ISO 27001 certification was the most commonly held in 2016 (39%) and has increased to 50% in 2017. In unregulated firms, it was much greater, at 60%.
The survey results also showed a significant move towards ISO 27001 as an expectation for vendors. It was up from 39% in 2016 to 50% in 2017, demonstrating organisations are increasingly seeking the assurances an external certification can give.
Managing audit programmes and the wider Information Security Management System (ISMS) is another significant area where technology offers solutions.
GDPR Technology Solutions
With privacy management and compliance becoming more complex and more onerous it is little wonder the requirement for technology solutions is on the increase. However, as the full report shows, Privacy Professionals are now working alongside their Information Security counterparts, together with Legal, HR and Compliance teams, to ensure data privacy and information security risks are minimised and GDPR compliance can be demonstrated.
Traditionally, technology solutions have been disparate in the requirements they satisfy. For example, risk management tools may require alternative solutions to policy management, staff communications and policy governance. Add to this the newer, GDPR requirements of managing subject access requests or DPIA’s and we can see how multiple vendor contracts, higher costs and management and a non ‘joined-up’ approach would be a disadvantage.
Until now there have been few, affordable solutions offering the integrated approach. ISMS.online is a UK hosted, ISO 27001 certified solution that enables Privacy and Information Security work to take place in one integrated environment using:
Frameworks for GDPR policy management and governance mapped to an ISO 27001 framework where required
Actionable policies and controls
Team working with full collaboration functionality
Internal and external audit management
Staff communications & engagement
Supply chain/vendor management
Managing Privacy and Information Security in one secure online solution allows you easily to describe and demonstrate compliance whilst reducing management time and costs.