The Data Protection Commission (DPC) has published the results of the annual Global Privacy Sweep for 2018, which examined how well organisations are implementing the concept of accountability. The Global Privacy Enforcement Network members made contact with 356 organisations in 18 countries during the Sweep. It found that while there were examples of good practice reported, a number of organisations had no processes in place to deal with complaints and queries raised by data subjects, and were not equipped to handle data security incidents appropriately.
In Ireland, 30 randomly-selected organisations across a range of sectors (including pharmaceutical, multinational, Government / Local Government, transport, charity, education and finance) were contacted. The organisations were asked to complete a table of questions relating to ‘Privacy Accountability’. The DPC reported the following trends in Ireland:
- 86% of organisations have a contact for their DPO listed on their website, and all have privacy policies which are easily accessible from the homepage.
- The majority of organisations reported that they have policies and procedures in place to respond to requests and complaints from individuals.
- 75% of organisations reported that they have adequate data breach policies in place.
- All organisations reported that they provide some form of data protection training for staff. However, only 38% of those organisations provided evidence of training programmes for all staff, including new entrants and refresher training.
- In most cases, organisations reported that they undertake some data protection monitoring / self-assessment (e.g. internal audits), but not to a sufficiently high level.
- One third of organisations failed to provide evidence of documented processes to assess risks associated with new products and technology (e.g. Data Protection Impact Assessments). However, many reported that they are in the process of documenting appropriate procedures.
- 30% of organisations failed to demonstrate that they had an adequate inventory of personal data while almost half failed to maintain a record of data flows.
The DPC is currently assessing what follow-up actions are necessary based on the responses.