About 33% of UK organisations have not yet maintained inventories of personal data collected from their customers and a similar number of them are not carrying out regular self-assessments or audits of internal data protection standards and practices, the Information Commissioner’s Office has found.
This was revealed in a survey of 28 organisations across various sectors in the UK carried out by the data protection watchdog as part of Global Privacy Enforcement Network’s (GPEN) annual intelligence gathering operation. The exercise is aimed at understanding how well organisations have implemented the core concepts of accountability into their own internal privacy policies and programmes.
Aside from the 28 organisations surveyed in the UK, data protection regulators carried out similar surveys of 328 other organisations based in 11 other countries as part of the exercise. Based on the findings of the survey, GPEN found that in the 11 countries, over half of organisations documented incident response procedures and maintained up to date records of all data security incidents and breaches.
It also found that organisations performed quite well in giving data protection training to staff and nearly three quarters of organisations had also appointed an individual or team responsible for ensuring their organisations’ adherence to revelant data protection rules and regulations.
Room for improvement in organisations’ data protection practices
However, GPEN observed that many organisations were found to fall short when it came to monitoring internal performance in relation to data protection standards with a quarter of them having no programmes in place to conduct self-assessments and/or internal audits. A large number of organisations were also found not having any processes in place to respond appropriately in the event of a data security incident.
The best news coming from UK organisations was that every single one of them had appointed personnel at a sufficiently senior level who are responsible for privacy governance and management.
“The findings suggest that whilst organisations contacted by the ICO and our international partners have a good understanding of the basic concept of accountability, in practice there is significant room for improvement,” said Adam Stevens, head of intelligence at the ICO.
“It is important that organisations have appropriate technical and organisational measures in place. This includes having clear data protection policies, taking a ‘data protection by design and default’ approach and continuing to review and monitor performance and adherence to data protection rules and regulations,” he added.