Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

Nearly 75 percent of organisations contacted in an international data protection survey had people and processes in place to respond appropriately to a data breach. This was one of the significant findings of the 2018 Global Privacy Enforcement Network (GPEN) Sweep.

The Sweep was jointly coordinated by the Office of the Privacy Commissioner (OPC), New Zealand, and the Information Commissioner’s Office, UK. It was carried out by 18 data protection and privacy authorities around the world, contacting 667 organisations.

The GPEN Sweep was designed to consider how well organisations implemented the concept of privacy accountability into their own internal privacy programmes and policies. The study looked at how they have taken responsibility for complying with their jurisdiction’s data protection laws.

OPC contacted 16 New Zealand public and private sector organisations and received 12 responses.

Privacy Commissioner John Edwards says his office saw encouraging trends in each of the New Zealand respondent organisations regarding the seniority of privacy and data protection officers and how they had clear reporting lines to executive management.

But he says there appears to be less focus on privacy accountability in the private sector than in the public sector. “While many of the private sector agencies demonstrated good accountability practices, several seemed to have minimal privacy or data protection policies in place.

“Public sector agencies surveyed generally had much more sophisticated policies and practices in place which reflects in the trends we see through our complaints investigation function. Most government agencies have dedicated privacy teams, and this is not necessarily the reality for private agencies.

“Also encouraging was the awareness of my office’s education and outreach tools, with a particular focus on our toolkit for managing data breaches. This is especially heartening because the Privacy Bill currently before Parliament has provisions for mandatory data breach notifications.”

Whilst there were examples of good practice, the Sweep found that some organisations had no processes in place to deal with privacy complaints and queries raised by data subjects and were not equipped to handle data security incidents appropriately. It also revealed:

  • Nearly 75 percent of respondent organisations across all sectors and jurisdictions had an individual or team who was responsibility for ensuring their organisation complied with relevant data protection rules and regulations.
  • Organisations were generally found to be quite good at giving initial data protection training to staff, but often failed to provide refresher training.
  • When it came to monitoring internal performance, many organisations fell short with around 25 percent saying they had no programmes in place to conduct self-assessments and/or internal audits.
  • The organisations that indicated that they have monitoring programmes in place generally gave examples of good practice, noting that they conducted annual audits or reviews and/or regular self-assessments.
  • Over 50 percent of the organisations surveyed indicated that they have incident response procedures, and that they maintain up to date records of all data security incidents and breaches.
  • Nearly 15 percent of organisations indicated that they have no processes in place to respond appropriately in the event of a data security incident.

The GPEN Privacy Accountability Sweep 2018 report can be obtained here.

ENDS

Note to editors

The Global Privacy Enforcement Network (GPEN) was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border co-operation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context.

The informal network is comprised of over 60 privacy enforcement authorities in 39 jurisdictions around the world.

The GPEN Sweep is currently co-chaired by the UK Information Commissioner’s Office and the New Zealand Office of the Privacy Commissioner.

For the exercise, participating GPEN member agencies were asked to reach out to organisations with a set of pre-determined questions which focused on these key elements of responsible data governance.

Contact: Charles Mabbett 021 509 735