Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Privacy Governance surveyMaturity of privacy control in Dutch organisations
PwC The Netherlands
January 2017
www.pwc.nl/privacy
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 2
Introduction Management Summary Results Appendix Contacts
Content
Content
Introduction PwC Privacy Governance survey 3
Management Summary 7
Results 10Overview of the results by chapter Privacy in your organisation 11Privacy strategy and policy 13Privacy incidents and notifications 19Privacy and your suppliers (third parties) 22Your organisation and privacy risks 24Statements 26About you and your organisation 32
Appendix 36Appendix A: PwC Privacy Portfolio 37
Contacts 38
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 3
Management Summary Results Appendix ContactsIntroductie
Introduction PwC Privacy Governance survey
Introduction PwC Privacy Governance survey
For the third consecutive year, PwC conducted the Privacy Governance Survey. The topic privacy has certainly been in the spotlights in 2016! Some of the main occurrences:• The obligation to report data breaches was implemented on January
1st 2016;• The General Data Protection Regulation (GDPR) was adopted, which
organisations have until May 25th 2018 to implement;• In media and politics, privacy is highlighted multiple times with
a focus on data breaches (e.g. at municipalities and hospitals) and various legal proceedings with regard to personal data;
• A new mechanism for cross border personal data flows between the EU and the US, the ‘Privacy Shield’ was adopted.
PwC’s annual Privacy Governance Survey provides an overall insight into how Dutch organisations deal with privacy, why they believe it is important, and how they deal with current and new data privacy regulations. This survey provides the possibility to compare your own organisation with others, without giving an opinion on privacy performance and compliance within your organisation. The information obtained through this survey has solely been used for the preparation of this report.
What is the goal of the Privacy Governance Survey and how can it help your organisation?The Privacy Governance Survey provides a unique insight into your organisation’s readiness for the GDPR and your level of maturity for dealing with the protection of personal data. It also allows you to compare the results with other relevant organisations. Overall the report gives insights into how Dutch organisations are dealing with privacy.
www.pwc.nl/privacy
Added value for you and your organisation:• better understanding of the nature and impact of new privacy
legislation;• assess relevant privacy risks for your organisation;• raising awareness with regard to privacy;• increased attention for privacy governance and resilience within
your organisation.
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 4
Management Summary Results Appendix Contacts
Introduction PwC Privacy Governance survey
Introductie
What are the new legal requirements?From January 1st 2016, the data breach notification obligation has been added to the Dutch Data Protection Act. In last year’s survey we focused on the preparations made by organisations with regard to this new obligation. At that point in time, the majority of organisations were not yet prepared. In the survey of this year we investigated to what extent organisations meet these new obligations. We noted that a majority of organisations have designed policies and procedures with regard to data breach notification. The main challenge seems to be the operating effectiveness of these policies and procedures.
A second important change is the adoption of the GDPR from May 2016. Organisations have a grace period of two years to become compliant with the new regulations. As of May 25th 2018 the GDPR is applicable for all EU member states. The GDPR will have major impact on organisations’ data protection policies and how they will be processing personal data. One important change from the GDPR, amongst others, is that organisations shall be aware and understand how personal data is processed in their organisation. Furthermore, the GDPR introduces the implementation of the privacy by design and privacy by default principles. This is done, for example, by performing Privacy Impact Assessments in cases of new products and systems. Finally the GDPR also introduces substantially higher penalties of up to 4% of an organisation’s global annual turnover or EUR 20.000.000.
We noted that the preparations for the GDPR are starting to get underway. A number of organisations are engaged in active preparation for the GDPR and determining the impact the GDPR will have. The emphasis in 2016 was on identifying the upcoming changes and assessing their impact. We expect that many organisations will start implementing the identified changes this year. Although May 25th 2018 seems far away, organisations will require all the time that is left to implement the relevant requirements.
Finally, a new mechanism to exchange personal data between the EU and US was adopted, the ‘Privacy Shield’. It is expected that the validity of the Privacy Shield will be tested in legal proceedings as was its predecessor ‘Safe Harbour’. We advise organisations to use the so called ‘EU Model Contracts’ in cases of personal data transfers between the EU and the US, and to assess whether relevant US suppliers are certified under the new Privacy Shield.
Analysis of resultsOver the past three years, 210 organisations from different sectors participated in the PwC Privacy Governance survey. This year’s results are shown graphically in the following chapters:• Privacy in your organisation• Privacy strategy and policy• Privacy incidents and notifications• Privacy and your suppliers• Your organisation and the privacy risk• Statements• About you and your organisation
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 5
Management Summary Results Appendix Contacts
Introduction PwC Privacy Governance survey
Introductie
Trends and developments in 2016The introduction of new laws and regulations contributes to an ever increasing insight into the importance of privacy and personal data protection within organisations. To the question on whether the data breach notification obligation has resulted in an increase of awareness with regard to the processing of personal data, a vast majority (87%) of participants answered affirmative.
Compared to last year, the proportion of organisations that are fully prepared for the data breach notification obligations rose from 16% to 58%. This is reflected by the fact that within 70% of the organisations (last year just 50%) intensive cooperation between Legal, IT (security) and Business is taking place with regard to privacy and data protection. In 74% of the organisations (against 50% last year), an increased investment in privacy compliance took place. The upcoming enforcement of the GDPR has also contributed to increased attention to privacy and processing of personal data. This is supported by the fact that almost 90% of the participants stated that they have a good insight into the personal data processing within their own organisation. Last year this was only 68%. Furthermore, the use of data processor agreements has increased from 60% to 70% in 2016. Also organisations check the compliance with their data processor agreements more often: from 18% last year to 50% in 2016. It seems clear that the role of data processors with regard to the data breach notification obligation plays a major role in that respect.
The PwC Privacy Governance Survey shows that various organisations have started their preparations for the GDPR. The percentage of organisations that have not started preparations has decreased from 35% to 25% in 2016. An increasing number of organisations are in the process of identifying the changes and the impact on their organisation. The expectation is that most organisations will start implementing the necessary changes this year.
How to use the results for your own purposesBased on the overall picture as presented in this report, we recommend:1. To discuss the report and its recommendations with the persons
responsible for privacy in the organisation. This will allow them to use its insights to further prepare the organisation for the GDPR;
2. To translate the outstanding issues into an action plan that will lead to organisational, procedural, and technical measures and controls;
3. To measure effectiveness periodically.
We believe that this survey can strengthen the Dutch privacy competencies and improve our international competitiveness and position of trust. Moreover, this report provides an overview of the approach to privacy management within a large number of Dutch organisations which can be compared to that of your own organisation. The report gives insight into the state of personal data processing within your organisation compared to similar organisations and competitors. The information obtained through the survey has solely been used for the preparation of this report.
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 6
Management Summary Results Appendix Contacts
At your request, we are more than willing to further discuss the impact of the report to your organisation or to facilitate the development of an action plan that suits the focus of your organisation.
Sincerely,
Bram van TielDirector Technology and Security
Yvette van GemerdenPartner Legal Services
Adri de BruijnPartner Consulting Technology
http://www.pwc.nl/privacy
Introduction PwC Privacy Governance survey
Introductie
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 7
Introduction Results Appendix Contacts
Management Summary
Management Summary
Management Summary
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 8
Introduction Results Appendix Contacts
The usefulness of an European Data Protection Seal becomes more clear
Maturity in privacy increases though still remains immature
Organisations not ready for obligation to notify data breaches
Collaboration increases More investments in privacy compliance
At 67% of the organisations, privacy is an interplay between Business, Legal and IT (security). Compared to 2015, cooperation has further strengthened.
With incidents
Periodically
Ad hoc
Only 29% of the participants indicates that the processing of personal data in their organisation is on a (very) mature level. 41% indicates that they have performed a Privacy Assessment.
52% of respondents think that such a seal could be useful for their organisation. This has almost doubled compared to last year (27%).
More than 74% of the participants indicate that investments in privacy compliance have increased over the past year. The most important reason for these investments is that organisations feel responsible for the protection of personal data (75%).
For 87% of the organisations, the data breach notification obligation resulted in an increasing awareness with regard to processing of personal data.
58% of the organisations say they are prepared for the new obligation to report data breaches.
Over three quarters (76%) of organisations are compliant with the statutory obligation to keep central record of data breaches. As much as 72% does have a communication plan in place in relation to data breaches. Consequently it seems that that the real challenge now is the operating effectiveness of the policies and procedures designed.
Management Summary
Management Summary
11%
70%
19%
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 9
Introduction Results Appendix Contacts
Limited insight into data flows and data processing
Organisations prepare for general data protection regulation
Privacy by design seems well embedded
Data protection officer is on the rise
Understanding of risks and impact
Processor agreements are used, though mostly not checked for compliance
11% of the participants are ready for the new privacy regulations.
64% of the organisations are engaged in active preparation for the GDPR.
Privacy by Design is well embedded within organisations. 69% consider the use of personal data while introducing new systems.
The Privacy officer is working its way up as now 28% of the organisations has appointed a person to this position.
In 17% of the cases no specific position is accountable for the topic privacy, or no privacy policy is implemented.
In preparation
Not in preparation
45% of the participating organisations do not carry out risk analyses (e.g. Privacy Impact Assessments) in the context of personal data processing.
Almost 90% of organisations indicate that they have a clear insight into data flows to external parties. However, only 35% document the data processing. A small minority (9%) of organisations document all of their personal data processing.
70% indicate that data processor agreements are used whilst dealing with external suppliers.
31% check compliance with the terms of data processing agreements.
Management Summary
Management Summary
64%
25%
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 10
Introduction Management Summary Appendix ContactsResults
Results
Results
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 11
Introduction Management Summary Appendix ContactsResults Privacy in your organisation
Privacy in your organisation
Privacy in your organisation
For 67% of the organisations privacy is an integrated topic between Business, Legal and IT (Security).
In an ever-increasing number of organisations (64%) intensive collaboration between Business, Legal and IT (Security) takes place through at least quarterly meetings.
For 30% of the organisations such meetings solely take place in case of incidents or on an ad hoc basis.
0% 20% 40% 60% 80%
Where in your organisation lies the primary responsibility for privacy?
How often do Business, Legal and IT (Security) meet to discuss
privacy matters?
Privacy is primarily a Business topic
Privacy is primarily a Legal topic
Privacy is primarily an IT (security) topic
Privacy is an integrated topic between Business,
Legal and IT (security)
Not specified
0% 20%15%10%5% 30%25%
Only in case of incidents
Ad Hoc (without immediate cause)
Periodically (at least annually)
Periodically (at least quarterly)
Periodically (at least monthly)
Business, Legal and IT (Security) work together on
a daily basis
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 12
Introduction Management Summary Appendix Contacts
Privacy in your organisation
Privacy in your organisation
The position accountable for privacy within organisations show great variety. On the other hand the results show that the Privacy Officer is becoming more common, with 28% of organisations appointing a person to this position.
In 17% of the cases no specific position is accountable for the topic privacy or no privacy policy is implemented.
Who is currently responsible for the implementation of your organisation’s privacy policy?
Chief Information Officer
Chief Privacy Officer
IT Manager
Data protection Officer
Security Officer
Compliance Officer
Risk Manager
Director Internal Audit
Legal Counsel
Controller
HR Manager
No one
We have no privacy policy
Other, please specify
0% 5% 20% 25% 30% 35%10% 15%
Privacy in your organisationResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 13
Introduction Management Summary Appendix Contacts
Privacy strategy and policy
Privacy strategy and policy
29% of the participants indicate that the processing of personal data in their organisation is on a (very) mature level, in contrast to just 9% of the organisations that considers the processing of personal data as immature.
A minority of 41% of the organisations have performed a privacy assessment with regard to compliance with the General Data Protection Regulation.
0% 20%10% 30% 50%40% 70%60%
In your opinion, how mature is the processing of personal data
in your organisation?
Does your organisation have a clear view in the level of compliance to the GDPR?
Immature
Reasonably mature
Mature
Very mature
I don’t know
0% 20%10% 30% 40% 50%
Yes, we have performed a GDPR compliance
assessment
No, but we have planned a GDPR compliance
assessment
No
Privacy strategy and policyResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 14
Introduction Management Summary Appendix Contacts
Privacy strategy and policy
Privacy strategy and policy
Privacy strategy and policy
0% 20%10% 30% 40% 50%
Did your organisation implement a privacy program and/or strategy?
Did your organisation make an extra investment in privacy compliance
and governance last year?
Yes, a privacy program and/ or strategy has
been implemented
Yes, privacy is an integrated part of
the information security strategy
No
I don’t know
0% 20% 40% 60% 80%
Yes, extra resources have been invested in privacy
compliance and governance
No extra resources have been invested in
privacy compliance and governance
I don’t know
At 67% of the organisations a privacy program and/or strategy is implemented. This is roughly similar to the results of last year.
28% of the participating organisations have not implemented a privacy program and/or strategy.
At 74% of the organisations extra resources have been invested in privacy compliance and governance last year.
Results
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 15
Introduction Management Summary Appendix Contacts
Privacy strategy and policy
Privacy strategy and policy
The new General Data Protection Regulation obliges organisations to maintain detailed records on the processing of personal data and keep it up to date.
Privacy strategy and policy
0% 20%10% 30% 50%40% 60%
Does your organisation have a clear view which personal data are processed and is
this documented?
Does your organisation include the evaluation of the adequacy of security controls
in place when evaluating the various forms of processing personal data?
All personal data processing is known
and documented
Most personal data processing is known
and documented
Most personal data processing is known, but not documented
Personal data processing is not/ hardly known
and not documented
I don’t know
0% 20%10% 30% 50%40%
Yes, we have performed such evaluation and concluded that the implemented controls are
adequate
Yes, we have performed such evaluation and concluded that the implemented controls are
inadequate
No, we did not perform an assessment
I don’t know
Only 9% of the organisations complies with the obligation to document all personal data processing as mentioned in the GDPR. A large majority of the organisations have not documented or has hardly documented the processing of personal data.
Over 40% of the organisations indicate that no review took place for existing security controls for the protection of personal data.
Results
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 16
Introduction Management Summary Appendix Contacts
Privacy strategy and policy
Privacy strategy and policy
Only 53% of the organisations ensure transparent communication about processing of personal data towards data subjects by using a privacy statement.
Almost 24% of the participants indicate that their organisation does not provide a privacy statement on their website.
More than a quarter of the organisations have implemented procedures regarding transparency and the right for correction of the data subjects.
22% of the organisations are in the process of defining and/or implementing those procedures.
0% 0%20% 20%10% 10%30% 30%40% 50% 50%40%
How does your organisation ensure transparent communication towards data subjects
on the processing of their personal data?
Does your organisation have procedures regarding transparency and right for correction of the data subjects?
A privacy statement is provided to data subjects
with each data processing
A general privacy statement is available on our website
There is no privacy statement available to inform data
subject on the processing of their personal data
Other, please specify
Yes these procedures are implemented
No, but we are in the process of defining
such procedures
No, we did not define such procedures
I don’t know
Privacy strategy and policyResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 17
Introduction Management Summary Appendix Contacts
Privacy strategy and policy
Privacy strategy and policy
Policies with regard to retention and disposal of personal data are defined by 69% of the participating organisations.
Does your organisation have policies on retention and disposal of personal data?
0% 10%5% 20% 25% 35%15% 30% 40% 45%
Yes, we have specific retention policies on personal data
Yes, retention policies are part of our general privacy policy
No
I don’t know
Privacy strategy and policyResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 18
Introduction Management Summary Appendix Contacts
Privacy strategy and policy
Privacy strategy and policy
The General Data Protection Regulation makes it possible for organisations to obtain a European Data Privacy Protection Seal.
52% of the respondents think that such a seal could be useful for their organisation. This has almost doubled compared to last year (27%).
In your opinion, is it useful for your organisation to obtain a European Data Privacy Protection Seal?
0% 10%5% 20%15% 35%30%25% 40%
Yes, very useful
Yes, reasonably useful
No, not useful
I don’t know
Privacy strategy and policyResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 19
Introduction Management Summary Appendix Contacts
Privacy incidents and notifications
Privacy incidents and notifications
20% of the respondents indicate that no privacy incidents occurred last year.
Only 17% of the organisations indicated that the number of privacy incidents increased last year.
More than half (58%) of the participants considers the response to privacy incidents by their organisation to be (very) good.
0%0% 10%20%10% 30% 20%40% 50%40%50% 30%
In your opinion, how did your organisation respond
to the privacy incidents?
To your knowledge, has the number of privacy incidents in your organisation increased
or decreased last year?
Bad/ poorly
Not properly
Reasonably
Good
Very good
I don’t know
Increased
Stable
Decreased
Not applicable, no privacy incidents
occurred last year
I don’t know
Privacy incidents and notificationsResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 20
Introduction Management Summary Appendix Contacts
Privacy incidents and notifications
Privacy incidents and notifications
As of January 1st 2016 all organisations residing in the Netherlands are obliged to notify data breaches without delay (incl. impact, measures, etc.) to the Dutch Data Protection Authority and under certain conditions to the data subjects involved.
52% of the organisations indicate that they are (very) well prepared for this obligation.
A large majority (78%) of organisations indicate that they comply with the obligation to keep a record of data breaches.
Does your organisation maintain records of data breaches?
In your opinion, is your organisation well prepared to meet these obligations?
0% 20% 40% 60% 80%
Yes
No
I don’t know
0% 20%10% 50%40%30%
I am not aware of this obligation
Bad/ poorly
Not properly
Reasonably
Good
Very good
I don’t know
Privacy incidents and notificationsResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 21
Introduction Management Summary Appendix Contacts
Privacy incidents and notifications
Privacy incidents and notifications
Privacy incidents and notifications
Does your organisation have a communication plan in case of data breaches?
0% 20% 40% 60% 80%
Yes
No
I don’t know
0% 20%10% 30% 50%40%
Does your organisation report data breaches to the Data Protection Authority?
Yes
No
I don’t want to comment on this
I don’t know
72% of the organisations have implemented a communication plan in case of a data breach.
44% of the organisations reported one or more data breaches to the Data Protection Authority.
Results
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 22
Introduction Management Summary Appendix Contacts
Privacy and your suppliers (third parties)
Privacy and your suppliers (third parties)
Only 22% of the participants indicated that their organisation has insight in personal data flows with third parties.
Over two thirds of the participants indicated that they have a reasonable insight in personal data flows between their organisation and third parties.
Approximately 9% of the participants indicated that, despite their responsibility, the organisation hardly has insight in personal data flows between their organisation and third parties.
0% 20%10% 30% 40% 50% 60% 70%
Does your organisation, from a privacy perspective, have insight in personal data flows between your organisation
and third parties (suppliers, customers, data processors)?
Yes, good
Ja, reasonably
No
I don’t know
Privacy and your suppliers (third parties)Results
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 23
Introduction Management Summary Appendix Contacts
Privacy and your suppliers (third parties)
Based on the Dutch Data Protection Act it is mandatory to impose contractual obligations on external parties processing personal data on your behalf (e.g. suppliers). As an organisation, you can choose to incorporate these obligations in existing contracts or to include a separate data processor agreement.
Approximately 70% of the organisations imposes contractual obligations on external parties by using a separate data processor agreement.
Only 6% of the organisations do not impose contractual obligations on external parties in case personal data is processed on their behalf.
Half of the organisations (50%) does not periodically assess the data processor agreements.
0% 0%20% 20%10% 30%40% 40% 50%80%60% 60%
Yes, in a separate data processor agreement
Yes, as part of an existing agreement
No
Not applicable, personal data is not processed by
third parties
I don’t know
Yes
No
I don’t know
Do you (or others) review data processor agreements periodically on compliance
Do you use data processor agreements to allow external parties to process
personal data on your behalf?
Privacy and your suppliers (third parties)
Privacy and your suppliers (third parties)Results
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 24
Introduction Management Summary Appendix Contacts
Your organisation and the privacy risk
Only 22% of the organisations conducts a risk analysis (e.g. Privacy Impact Assessment) regularly, though 33% performs these kind of risk analyses only on ad hoc basis. While 45% of the organisations indicated no risk analyses are performed with regard to processing of personal data or does not know this.
0% 5% 20% 25%10% 15% 30% 35% 40% 45%
Does your organisation conduct risk analyses (e.g. Privacy Impact Assessments) concerning personal data processing?
Yes, privacy is part of the standard Business Risk Assessment
Yes, Privacy Impact Assessments are standard procedure for implementing
new systems, programs and processes.
Yes, we perform ad hoc Privacy Impact Assessments
No, we do not perform Privacy Impact Assessment
I don’t know
Your organisation and the privacy risk
Your organisation and the privacy riskResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 25
Introduction Management Summary Appendix Contacts
Your organisation and the privacy risk
Your organisation and the privacy risk
More than half of the organisations assess compliance to the Dutch Data Protection Act periodically, either as part of the regular audit cycle or not.
At 49% of the organisations employees did not receive any training or education in the past 12 months regarding privacy.
0%0% 20%10% 10% 30% 40%20% 50%30% 60%40%
How are employees in your organisation trained in the field of privacy?
Is privacy and compliance to the Dutch Data Protection Act periodically assessed?
All employees are trained periodically
Only privacy employees are trained periodically
All employees are trained once
Only privacy employees are trained once
All employees are trained once, but privacy
employees are trained periodically
No privacy training is provided
Yes, as part of the regular audit cycle
Yes, assessments are periodically performed
(no audit)
No, only ad hoc
No assessments take place on privacy and
compliance to the Dutch Data Protection Act
I don’t know
Your organisation and the privacy riskResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 26
Introduction Management Summary Appendix Contacts
Statements
Statements
For a large majority (75%) of the organisations, the protection of personal data is the most important reason to put privacy on the agenda as they feel responsible for the customers data.
For only a small number of respondents (6%) the risk for a high fine is the most important reason.
0% 40%30%20%10% 60% 70%50% 80%
The most important reason for our organisation to put privacy on the agenda is:
StatementsResults
The risk of a fine of 4% worldwide annual turnover (of previous year), or a fine with a maximum of EUR 20,000,000 dependent
which fine is higher.
We feel responsible for the protection of personal data of our customers,
employees and other relations
We fear reputational damage in case of privacy incidents
Privacy is not on the agenda
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 27
Introduction Management Summary Appendix Contacts
Statements
Statements
A quarter of the participants indicate that the organisation has not yet started to identify the upcoming changes in privacy legislation.
Only 11% states that the organisation is ready for the new privacy legislation.
0% 25%20%15%10%5% 35%30% 50%45%40%
We are ready for the upcoming changes in privacy legislation (General Data Protection Regulation):
We are ready
We have identified the changes and are working on implementation
We have identified the changes, but have not started implementation
We have not identified the changes yet
StatementsResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 28
Introduction Management Summary Appendix Contacts
Statements
Statements
Based on the General Data Protection Regulation (GDPR) it is mandatory to take the privacy of data subjects and the protection of personal data into account while implementing new systems
Despite this new obligation 31% of the participants state that their organisation does not always take privacy aspects and protection of personal data into account at an early stage.
0% 40%30%20%10% 50% 70%60%
Upon implementing new systems we always take into account privacy aspects and protection of personal data (Privacy by
Design & Privacy by Default principles) in an early stage:
Agree
Disagree
StatementsResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 29
Introduction Management Summary Appendix Contacts
Statements
Statements
71% of the respondents view privacy legislation as not restrictive to the innovation capabilities of their organisation.
0% 40%30%20%10% 60%50% 70% 80%
Privacy legislation limits our innovation capabilities:
Agree
Disagree
StatementsResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 30
Introduction Management Summary Appendix Contacts
Statements
Statements
58% of the participants indicated that they have fully implemented the new obligation to report data breaches.
0% 40%30%20%10% 60%50% 70%
We have fully implemented the Data Breach Act within our organisation:
Agree
Disagree
StatementsResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 31
Introduction Management Summary Appendix Contacts
Statements
Statements
A vast majority of 87% of the participants agree with the proposition that the data breach notification obligation has contributed to an increasing awareness with regard to the processing of personal data.
0% 40%30%20%10% 70%60%50% 90%80%
The Data Breach Notification Act contributed to the privacy awareness within our organisation
regarding the processing of personal data:
Agree
Disagree
StatementsResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 32
Introduction Management Summary Appendix Contacts
The individual respondents of the survey are employed in a broad range of functions.
The participating organisations are active in a wide range of sectors and markets.
About you and your organisation
About you and your organisation
Which Sector classification is most applicable to the main activities of your organisation?
Which one of these job titles describes your role in the best possible way?
Management Board
Chief Information Officer
Chief Privacy Officer
IT Manager
Data Protection Officer
Security Officer
Compliance Officer
Risk Manager
Director Internal Audit
Legal Counsel
Controller
HR Manager
Other, please specify
Industrial sector
Retail sector
Finance sector
Energy & Utilities sector
Pharmaceutical Industry
Education
Healthcare
Public sector - Local
Public sector - National
Technology, Media &Telecommunications
Tourism
Transport
Other, please specify
0%0% 10%20% 15%30% 5%10% 20%40%
About you and your organisationResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 33
Introduction Management Summary Appendix Contacts
33% of the organisations have less than 500 employees. 30% of the organisations have between 1,000 and 5,000 employees and 8% have more than 20,000 employees.
About you and your organisation
About you and your organisation
0% 25% 30%15% 20%10%5% 35%
How many employees does your organisation employ worldwide?
>50,000
5,000-20,000
20,000-50,000
500-1,000
1,000-5,000
0-500
About you and your organisationResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 34
Introduction Management Summary Appendix Contacts
At 69% of the organisations the activities are mainly focused on the Netherlands.
About you and your organisation
About you and your organisation
0% 50% 60%30% 40%20%10% 80%70%
Are your organisational activities mainly focusing on The Netherlands, the EU or International?
International (outside the EU)
The Netherlands
International (within the EU)
About you and your organisationResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 35
Introduction Management Summary Appendix Contacts
In case of cross border personal data flows outside the EU, 40% of the organisation do not (yet) make use of one of the necessary instruments the EU developed for those scenarios.
About you and your organisation
About you and your organisation
0% 40%30%20%10% 50%
Which of the following instruments has your organisation implemented for the processing
of personal data outside the EU?
Binding Corporate Rules
EU Model contracts
Privacy Shield
Combination of above instruments
Our organization does not process personal
data outside the EU
None
About you and your organisationResults
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 36
Introduction Management Summary Results ContactsAppendix
Appendix
Appendix
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations 37
Introduction Management Summary Results Contacts
Appendix A
Appendix A: PwC Privacy Portfolio
StrategyExploration
Tra
nsfo
rma
tion
ma
na
gemen
t
Assu
ran
ce
PwCPrivacy
Portfolio
AftercareImplementation
Strategy• Support development privacy related policies• Design privacy strategy• Creating a privacy roadmap• Increase privacy awareness
Exploration• Risk analysis of (sensitive) personal data
• Providing insight to possible use of personal data • Classification of (sensitive) personal data
• Analyse contractual structures of personal data processing • Perform privacy baseline assessments
Transformation management• GDPR Transformation support• Design privacy programs • Providing insight to required changes of
IT-systems• Perform GAP-analyses • Privacy Impact Assessments • Assessment of contractual arrangements
Assurance• Issue Assurance
reports based on ISAE3000/ SOC2
• Privacy certification
Aftercare• Organise workshops to
increase privacy awareness• Privacy policies and intranet
publication of privacy controls implemented• Governance assessments
Implementation• Embedding of privacy measures in current control frameworks
• Updating IT-systems to enforce controls via systems technology • Appoint personal data responsibilities central in the organization
• Notifications and registrations at the Data Protection Authority and design of privacy policies
Appendix
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations Inleiding 38
© 2017 PwC. All rights reserved. Not for further distribution without the permission of PwC. “PwC” refers to the network of member firms of PricewaterhouseCoopers International Limited (PwCIL), or, as the context requires, individual member firms of the PwC network. Each member firm is a separate legal entity and does not act as agent of PwCIL or any other member firm. PwCIL does not provide any services to clients. PwCIL is not responsible or liable for the acts or omissions of any of its member firms nor can it control the exercise of their professional judgment or bind them in any way. No member firm is responsible or liable for the acts or omissions of any other member firm nor can it control the exercise of another member firm’s professional judgment or bind another member firm or PwCIL in any way.
Would you like to have more information about the Privacy Governance survey and about how PwC could help your organisation? Please contact:
Bram van Tiel Director Technology and Security+31 (0)88 792 53 [email protected]
Yvette van GemerdenPartner Legal Services+31 (0) 88 792 54 [email protected]
Adri de BruijnPartner Consulting Technology+31 (0) 88 792 65 [email protected]
PwC Privacy Governance survey Maturity of privacy control in Dutch organisations Contacts 38
Contacts
www.pwc.nl/privacy
Appendix ContactsIntroduction Management Summary Results Appendix