Recommended NZ | Guide to Money | Gimme: Competitions - Giveaways

Privacy accountability improving but more needed - GPEN survey

Fuseworks Media
Fuseworks Media

Nearly 75 percent of organisations contacted in an international data protection survey had people and processes in place to respond appropriately to a data breach. This was one of the significant findings of the 2018 Global Privacy Enforcement Network (GPEN) Sweep.

The Sweep was jointly coordinated by the Office of the Privacy Commissioner (OPC), New Zealand, and the Information Commissioner’s Office, UK. It was carried out by 18 data protection and privacy authorities around the world, contacting 667 organisations.

The GPEN Sweep was designed to consider how well organisations implemented the concept of privacy accountability into their own internal privacy programmes and policies. The study looked at how they have taken responsibility for complying with their jurisdiction’s data protection laws.

OPC contacted 16 New Zealand public and private sector organisations and received 12 responses.

Privacy Commissioner John Edwards says his office saw encouraging trends in each of the New Zealand respondent organisations regarding the seniority of privacy and data protection officers and how they had clear reporting lines to executive management.

But he says there appears to be less focus on privacy accountability in the private sector than in the public sector. "While many of the private sector agencies demonstrated good accountability practices, several seemed to have minimal privacy or data protection policies in place.

"Public sector agencies surveyed generally had much more sophisticated policies and practices in place which reflects in the trends we see through our complaints investigation function. Most government agencies have dedicated privacy teams, and this is not necessarily the reality for private agencies.

"Also encouraging was the awareness of my office’s education and outreach tools, with a particular focus on our toolkit for managing data breaches. This is especially heartening because the Privacy Bill currently before Parliament has provisions for mandatory data breach notifications."

Whilst there were examples of good practice, the Sweep found that some organisations had no processes in place to deal with privacy complaints and queries raised by data subjects and were not equipped to handle data security incidents appropriately. It also revealed:

Nearly 75 percent of respondent organisations across all sectors and jurisdictions had an individual or team who was responsibility for ensuring their organisation complied with relevant data protection rules and regulations.

Organisations were generally found to be quite good at giving initial data protection training to staff, but often failed to provide refresher training.

When it came to monitoring internal performance, many organisations fell short with around 25 percent saying they had no programmes in place to conduct self-assessments and/or internal audits.

The organisations that indicated that they have monitoring programmes in place generally gave examples of good practice, noting that they conducted annual audits or reviews and/or regular self-assessments.

Over 50 percent of the organisations surveyed indicated that they have incident response procedures, and that they maintain up to date records of all data security incidents and breaches.

Nearly 15 percent of organisations indicated that they have no processes in place to respond appropriately in the event of a data security incident.

The GPEN Privacy Accountability Sweep 2018 report can be obtained from the Office of the Privacy Commissioner’s website:

All articles and comments on have been submitted by our community of users. Please notify us if you believe an item on this site breaches our community guidelines.