keeping pace in the gdpr race: a global view of gdpr progress … · 2019-10-03 · organizations...

DM_US 162186428-9.PG0860.0010

Keeping Pace in the GDPR Race: A Global View of GDPR Progress in the United States, Europe, China and Japan

Sponsored by McDermott Will & Emery LLP and MWE China Law Offices Independently conducted by Ponemon Institute LLC Publication Date: September 2019

Keeping Pace in the GDPR Race 1

KEEPING PACE IN THE GDPR RACE: A GLOBAL VIEW OF GDPR PROGRESS IN THE UNITED STATES, EUROPE, CHINA AND JAPAN Ponemon Institute, September 2019

TABLE OF CONTENTS

Part 1. Introduction ................................................................................................................................ 2

Part 2. Executive Summary: GDPR Progress and Data Breach Management................................................... 2

Part 3. Key Findings .............................................................................................................................. 5

Data Breaches and Cyberattacks Under GDPR ..................................................................................... 5

The Use of Cyber Insurance to Mitigate Financial Consequences .......................................................... 15

Progress in GDPR Compliance ........................................................................................................ 16

Ongoing Efforts to Maintain Compliance .......................................................................................... 25

Budgets and Investments in GDPR ................................................................................................... 27

GDPR and Data Transfer Mechanisms .............................................................................................. 29

Part 4. Country Specific Differences........................................................................................................31

United States and Europe ................................................................................................................ 31

GDPR and the California Consumer Privacy Act (CCPA).................................................................... 33

Part 5. Chinese and Japanese Organizations’ Response to GDPR: Not Fully Prepared .....................................34

Part 6. Methods ....................................................................................................................................36

Part 7. Caveats to this Study...................................................................................................................39

Appendix: Detailed Survey Results .........................................................................................................40

Contact Information..............................................................................................................................67


PART 1. INTRODUCTION

This is the follow-up study to last year’s research, The Race to GDPR. In this year’s study, we expanded the research, for the first time, to include China and Japan in addition to the United States and Europe. A total of 1,263 organizations are represented in this study.

The uniquely demanding European Union (EU) General Data Protection Regulation (GDPR) came into force on May 25, 2018, virtually transforming how organizations in every industry handle personal data. This study reflects practical difficulties and regional differences in levels of adherence to GDPR across Europe, the United States, China and Japan.

Sponsored by law firm McDermott Will & Emery LLP and our strategic alliance, MWE China Law Offices, this follow-up research tackles the ongoing challenges organizations face in the wake of GDPR, despite their dedication to implementing the new requirements. Participants in this study work in a variety of departments, including IT, IT security, compliance, legal, data protection office and privacy. All organizations represented in this research are subject to GDPR.

PART 2. EXECUTIVE SUMMARY: GDPR PROGRESS AND DATA BREACH MANAGEMENT

GDPR work is ongoing; most organizations did not meet the May 25, 2018, deadline. Many organizations are renewing their GDPR budgets accordingly. Most organizations represented in this research report that GDPR implementation took longer than they had anticipated (54% of respondents) and that it was equally or more difficult to implement than other data privacy and security requirements (80% of respondents). Most organizations have a GDPR budget (72% of respondents), and about a third say the budget will be renewed annually (35% of respondents) or continue indefinitely (24% of respondents).

About half of the respondents had GDPR data breaches that must be reported to regulators. Forty-six percent of respondents say their organizations had an average of approximately two reportable data breaches since GDPR came into effect and about one in six received a follow-up inquiry or inspection from the regulator. Thirty-nine percent of US respondents, 45% of European respondents, 36% of Chinese respondents and 33% of Japanese respondents say they reported a personal data breach to a regulator.

Data breach reporting under GDPR continues to be a major challenge across the board for almost all organizations, regardless of region. Only 18% of respondents are highly confident in their organizations’ ability to communicate a reportable data breach to the relevant regulator(s) within 72 hours of becoming aware of the event. This suggests that early breach awareness and identification, even on a preliminary basis, continues to be a major difficulty with more help needed.

https://s3-us-east-2.amazonaws.com/mwe.media/wp-content/uploads/2019/04/15202019/Race-to-GDPR.pdf


More US organizations experienced cyberattacks under GDPR than other regions. Respondents in US organizations say they experienced more cyberattacks (45%) under GDPR than respondents in European (34%), Chinese (31%) and Japanese organizations (38%).

More US organizations than European and Chinese organizations engaged an external cybersecurity service to investigate GDPR security incidents. The use of outside forensic vendors to investigate cyberattacks is higher in the United States (44% of respondents) than in European (40% of respondents) and Chinese (25% of respondents) organizations. Surprisingly, 47% of Japanese respondents reported using forensic vendors, which is more than US organizations. Of these respondents, 65% of US, 56% of European, 55% Japanese and 41% of Chinese companies say the work was conducted under litigation or attorney-client privilege.

Greater use of external forensic organizations likely identifies cyberattacks earlier and more accurately than the use of internal IT resources alone. As Europe and China catch up with US experience on data breach management, we would expect both the reported percentage of GDPR data breaches due to cyberattacks and the use of outside forensic firms to increase.

Cyber risk insurance was obtained by approximately a third of the organizations, and of those, less than half say that their insurance covers GDPR fines or penalties. Approximately a third of respondents report that their organizations have insurance that covers cyber risks, and 43% of those respondents say their cyber insurance policy covers GDPR fines or penalties. The types of incidents understood to be most often covered by cyber insurance policies are external attacks by a cyber-criminal (62% of respondents), human error, mistakes and negligence (41% of respondents), and malicious or criminal insiders (38% of respondents). However, 10% of respondents do not know what their cyber risk insurance policy covers.

A surprisingly high percentage of respondents say their organizations appointed a data protection officer (DPO) under GDPR, and about half of the non-European respondents say they appointed an EU representative. These high numbers are surprising because there are notably strict criteria for appointing DPOs and EU representatives. These findings, however, may also include voluntary appointments for these positions.

UNITED STATES AND EUROPE FINDINGS

More than half of respondents in US organizations apply GDPR data subject rights to both US and European employees. Fifty-seven percent of US respondents say their organizations apply the requirements to both US and European employees because they want to take a global approach, while about half of these respondents (49%) believe it is required by the GDPR.

More US respondents than European respondents say compliance with GDPR will assist in their compliance with the California Consumer Privacy Act (CCPA). Forty-six percent of US respondents say compliance with GDPR has helped define the strategy and overall approach to their compliance with the forthcoming (CCPA) and other US state privacy laws, while 30% of European respondents say this is the case.


Forty-three percent of US respondents and 33% of European respondents say compliance with the CCPA and other US state privacy laws will cause their organizations to re-evaluate their compliance position under GDPR.

CHINA FINDINGS

China has the lowest level of compliance with GDPR. Only 29% of the Chinese respondents say their organizations are fully compliant with GDPR, more than 10% lower than what respondents in US and European organizations are reporting. Fifty percent of Chinese respondents say GDPR is as difficult to implement as other data privacy and security requirements.

Chinese respondents use internal resources to respond to data breaches, rather than external ones. Only 25% of Chinese respondents use external cybersecurity services to investigate data breaches, which is significantly less than other countries.

Chinese respondents’ means of compliance under GDPR lags behind US and European respondents. Fewer Chinese respondents take measures in several key areas to maintain GDPR compliance compared to US and European respondents, including localization, document retention and creating a data map showing data flow and process. Only 2% of Chinese respondents have evaluated their relationships with third-party vendors, in contrast to the 45% of respondents in US organizations and 30% of respondents in European and Japanese organizations. This is likely due to differences in data transfer rules and China’s data security laws.

Unlike US and European respondents, fewer Chinese organizations report they have purchased cybersecurity insurance. Only one-in-five Chinese respondents (19%) report that their organizations have insurance covering cyber risks. Fifteen percent of these respondents are not sure what types of incidents their cyber insurance policies cover, which is higher than the percentages from the other jurisdictions.

JAPAN FINDINGS

Most Japanese respondents say their organizations have not achieved full compliance with GDPR. Only 32% of Japanese respondents say their organizations have achieved full compliance with GDPR. Forty-one percent of Japanese respondents say GDPR is as difficult to implement as other data privacy and security requirements (e.g., Japanese Data Protection Legislation or China’s cybersecurity law).

Japanese respondents adopt measures to prevent and respond to data breaches—but they are not as regular with assessments. Forty-seven percent of Japanese respondents say they use external cybersecurity services to investigate data breaches, which, as noted, is more than what respondents in US and European organizations report. Less than half of Japanese respondents (43%) regularly conduct testing, assessments or evaluation of the effectiveness of technical and organizational measures for ensuring the security of the processing. In contrast, 65% of respondents in China and 54% of respondents in European organizations take such security actions.


Japanese respondents’ awareness in complying with other GDPR compliance aspects also lags behind US and European respondents. Japanese respondents say their organizations take measures in several key areas to maintain compliance compared to what respondents in the United States and Europe report. These actions include introducing or updating document requirements (39% of respondents), creating a data inventory (46% of respondents), and investing in new technologies or services (39% of respondents), but this is less than reported for US, European and Chinese organizations.

PART 3. KEY FINDINGS

In this section we provide an in-depth analysis of the research. Unless indicated otherwise, we present the consolidated findings for the United States, Europe, China and Japan. We also compare some of the 2018 findings to the 2019 research. A special section, as noted below, will describe the most salient differences between respondents in these countries. The complete audited findings are presented in the Appendix of the report.

DATA BREACHES AND CYBERATTACKS UNDER GDPR

Since GDPR came into effect, many organizations have had reportable data breaches. According to the findings, 46% of the organizations represented in this research had an average of approximately two data breaches under GDPR that were required to be reported to the regulator. Of these, one-in-six of these breaches received a follow-up or an inquiry or inspection from the regulator.

As shown in Figure 1, US organizations experienced the most reportable data breaches under GDPR (an average of 2.49) and China reported the least (an average of 2.07).


Figure 1. Since May 25, 2018, how many personal data breaches did your organization have that were reportable under GDPR? Extrapolated values presented

European and US organizations reported more of these breaches to the regulator than organizations in China and Japan. According to Figure 2, the European and US organizations were also more likely to receive follow-up inquiries or inspections.

Figure 2. How many of the breaches were reported to the regulator and received follow-up inquiries? Extrapolated averages

2.49

2.24 2.10 2.07

1.00

1.25

1.50

1.75

2.00

2.25

2.50

2.75

US EU JP CH

2.05

0.80

1.96

0.68

1.68

0.30

1.59

0.24

0.00

0.50

1.00

1.50

2.00

2.50

Breaches reported to the regulator Follow-up inquiries or inspections received fromthe regulator

EU US CH JP


Negligent insiders, third parties and cyberattacks were the main root causes of these data breaches. According to Figure 3, almost half of reportable breaches were caused by negligent insiders, followed by outsourcing data to a third party and cyberattacks. Some 35% of respondents reported they did not know what caused the breach.

Figure 3. What were the root causes of these data breaches? More than one response permitted

35%

10%

13%

19%

31%

39%

42%

45%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Do not know

Data lost in physical delivery

Malicious insider

Failure to protect actual documents

Systems glitch

Cyberattack

Outsourcing data to a third party

Negligent insider


While fines are a concern, most respondents say their organizations experienced a decrease in customer and consumer trust as a result of a data breach. Figure 4 shows that 43% of respondents say the consequence of the data breach was a loss of customer and consumer trust. This is followed by loss of productivity, legal action and reputation damage. Only 10% of respondents say they received a fine as a result of the data breach.

Figure 4. What were the consequences of these data breaches? More than one response permitted

1%

2%

4%

9%

10%

25%

32%

33%

33%

34%

43%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Other

C-level executive was forced to resign

Decline in company’s share price

Negative media coverage

Regulatory fines

Made our organization more vulnerable to future breachand other security incidents

Caused significant financial harm

Caused significant brand and reputation damage

Legal action

Loss of productivity

Decreased customer and consumer trust in ourorganization


While still less than half, more respondents in this year’s study rate their readiness to respond to an EU data breach as high. Respondents were asked to rate their organizations’ readiness to respond to a data breach and their confidence in complying with GDPR’s data breach notification rules on a scale from 1 = low readiness/confidence to 10 = high readiness/confidence. Figure 5 shows the high readiness/confidence (7+ responses). Since last year’s study, the percentage of respondents who say they have a high level of readiness has increased from 35% to 46%.

Similarly, a high level of confidence in the ability to comply with GDPR’s data breach notification rules increased from 28% of respondents in the 2018 study to 46% of respondents in 2019.

Figure 5. Readiness to respond to a data breach involving personal data of EU individuals and confidence in complying with data breach notification rules From 1 = low readiness and 10 = high readiness and 1 = low confidence and 10 = high confidence, 7+ responses presented

35%

28%

46% 46%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

Level of readiness to respond to a data breach involvingpersonal data of EU individuals

Level of confidence to comply w ith the GDPR’s data breach notif ication rules

FY2018 FY2019


Of those respondents (46%) who say they are highly confident in their ability to comply with the notification rules, the primary reasons are that:

• Their incident response plan has proven to be effective in providing timely notification (65% of respondents) and

• They have the necessary security technologies in place to be able to detect the occurrence of a data breach quickly (59% of respondents).

However, only 18% of respondents say they are confident they have the ability to provide notification to the DPA within 72 hours of becoming aware of the event. As shown in Figure 6, this suggests uncertainty, if not inability, to obtain adequate forensic or other evidence to be able to report to the data protection authorities within the 72-hour requirement. GDPR requires that if there is a delay, the controller must provide a “reasoned justification.”

Figure 6. Why is your organization confident in its ability to comply with data breach notification rules? More than one response permitted

21%

2%

18%

23%

59%

65%

0% 10% 20% 30% 40% 50% 60% 70%

None of the above

Other

Ability to provide notification to the data protectionauthority within 72 hours

Ability to determine quickly if the breach is unlikely to result in a “risk for the rights and freedoms of natural

persons”

The necessary security technologies are in place to beable to detect the occurrence of a data breach quickly

Incident response plan has proven to be effective inproviding timely notif ication


Approximately one-quarter of respondents on average in all countries say their readiness and confidence to respond to a GDPR data breach is very low. Respondents were asked to rate their readiness and confidence on a scale of 1 = low to 10 = high. Figure 7 reports the very low responses (1 to 4 responses on the 10-point scale). Thirty percent of respondents in the United States rate their level of readiness to respond to a GDPR data breach as very low.

Figure 7. Readiness to respond to a data breach involving personal data and confidence in responding to data breach notification rules 1 = low readiness and 10 = high readiness and 1 = low confidence and 10 = high confidence, 1 to 4 responses presented

30% 29%28% 27%24%

30%

23% 23%

0%

5%

10%

15%

20%

25%

30%

35%

Level of readiness to respond to a data breach involvingpersonal data of EU individuals

Level of confidence to comply w ith GDPR’s data breach notif ication rules

US CH JP EU


Many respondents from the United States, Europe and Japan engaged external cybersecurity services. As shown in Figure 8, 47% of Japanese respondents and 44% of US respondents say their organizations used an external cybersecurity service provider to investigate GDPR data breaches or cyberattacks. Forty percent of European respondents and 25% of Chinese respondents say their organizations engaged such a service.

As a root cause of the data breach, European organizations reported experiencing fewer cyberattacks (34% of respondents) than US organizations (45% of respondents). It is unclear whether this difference in breach reporting is due to greater reporting generally by European organizations or European organizations engaging cybersecurity service providers less frequently (and detecting cyber breaches less frequently) than US organizations.

Figure 8. Did you use an external cybersecurity service to investigate the data breaches or cyberattacks? Yes responses

47%44%

40%

25%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

50%

JP US EU CH

JP US EU CH


Of these respondents, 65% of US respondents and 56% of European respondents say the work was conducted under litigation or attorney-client privilege. In Japan 55% of respondents and in China 41% respondents say investigations were conducted under litigation or attorney-client privilege, as shown in Figure 9. This difference is explained by the extensive litigation history in the United States regarding legal privilege in forensic, consulting and expert reports.

Figure 9. If yes, was the work conducted under litigation or attorney-client privilege? Yes responses

65%

56% 55%

41%

0%

10%

20%

30%

40%

50%

60%

70%

US EU JP CH


Most organizations are addressing security problems with a variety of actions. As shown in Figure 10, the security action most often taken is the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident (68% of respondents). This is followed by the pseudonymization and encryption of personal data (62% of respondents).

Figure 10. Which of the following GDPR security actions has your organization addressed? More than one response permitted

12%

48%

49%

50%

62%

68%

11%

52%

49%

50%

64%

70%

0% 10% 20% 30% 40% 50% 60% 70% 80%

None of the above

A process for regularly testing, assessing andevaluating the effectiveness of technical and

organizational measures for ensuring the security of theprocessing

Auditing and review of third-party contracts

The ability to ensure the ongoing confidentiality,integrity, availability and resilience of processing

systems and services

The pseudonymization and encryption of personal data

The ability to restore the availability and access topersonal data in a timely manner in the event of a

physical or technical incident

FY2018 FY2019


THE USE OF CYBER INSURANCE TO MITIGATE FINANCIAL CONSEQUENCES

Organizations purchase cyber insurance to reduce the financial consequences of a GDPR fine or penalty. Thirty-one percent of respondents say their organizations have insurance that covers cyber risks, and of those, less than half say their cyber insurance policy covers GDPR fines or penalties.

According to Figure 11, the types of incidents most often covered by cyber insurance policies are an external attack by a cyber-criminal (62% of respondents), human error, mistakes and negligence (41% of respondents), and malicious or criminal insiders (38% of respondents).

Figure 11. What types of incidents does your organization’s cyber insurance policy cover? More than one response permitted

10%

1%

15%

26%

30%

32%

38%

41%

62%

0% 10% 20% 30% 40% 50% 60% 70%

Unsure

Other

Terrorism

Incidents affecting business partners, vendors or other third parties that have access to your company’s

information assets

State-sponsored attacks

System or business process failures

Malicious or criminal insiders

Human error, mistakes and negligence

External attacks by cyber criminals


PROGRESS IN GDPR COMPLIANCE

As predicted in last year’s study, most organizations did not meet the May 25, 2018, deadline and the work is ongoing. About a third of respondents say they will achieve compliance with GDPR sometime in 2019, as shown in Figure 12. More than half of the organizations that have already achieved compliance with GDPR say that it took more time or a lot longer than expected to achieve compliance. Most respondents (80%) say compliance with GDPR was equally or more difficult to achieve than compliance with other privacy and security requirements.

Figure 12. When did you achieve compliance with GDPR?

14%

24%

31% 31%

0%

5%

10%

15%

20%

25%

30%

35%

Before May 25, 2018 May 25, 2018 After May 25, 2018, butbefore December 31, 2018

2019


More organizations in the United States and Europe achieved compliance with GDPR before or on May 25, 2018. As shown in Figure 13, 40% (14% + 26%) of US respondents and 39% (18% + 21%) of European respondents say their organizations achieved compliance before or by May 25, 2018.

Figure 13. When did you achieve compliance with GDPR?

Almost half of non-European organizations believe all their processes or business units are subject to GDPR. As shown in Figure 14, 49% of respondents say all of their processes and business units are subject to GDPR, and 46% of respondents reported that some of their processes must comply with GDPR.

Figure 14. If your organization is not based in the European Union, to what extent are your processes or business units subject to GDPR compliance?

14%

26%24%

36%

18%21%

35%

26%

10%

26%

41%

23%

14%18%

29%

39%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Before May 25, 2018 May 25, 2018 After May 25, 2018, butbefore December 31, 2018

2019

US EU JP CH

5%

46%

49%

0% 10% 20% 30% 40% 50% 60%

Unsure

Some of our processes or business units aresubject to GDPR

All of our processes or business units are subjectto GDPR


Forty-four percent of respondents say their organization applies GDPR subject rights to US employees, in addition to EU employees. According to Figure 15, the top two reasons for applying GDPR data subject rights to US employees are the desire to apply the same data subject rights globally (60% of respondents) and more than half (53% of respondents) believe GDPR requires it.

Figure 15. If yes, why does your organization apply GDPR data subject rights to US employees? More than one response permitted

2%

34%

36%

53%

60%

0% 10% 20% 30% 40% 50% 60% 70%

Other

We only have a small number of US employees

We are doing it voluntarily

We believe it is required by GDPR

We want to apply the same data subject rights globally,not just the Eurpoean Union


Most organizations offer customer services, advertising, sales and marketing services in their offices and with third parties. According to Figure 16, the primary practices are call centers and customer service operations (89% of respondents), advertising and promotion campaigns (88% of respondents), sales management (83% of respondents), and marketing and customer outreach (83% of respondents). According to GDPR, the marketing functions of organizations must be able to show how the data subject has consented to the processing of their personal data.

Figure 16. Does your organization conduct the following practices with your offices and third parties? More than one response permitted

4%

51%

54%

66%

67%

70%

81%

83%

83%

88%

89%

3%

53%

62%

64%

64%

72%

74%

83%

87%

87%

91%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Other

Application development and testing

Data hygiene and quality control

Identity, authentication and security management

Research and development

Payment transaction processing

Data processing operations including the use of cloudinfrastructure

Marketing and customer outreach

Sales management

Advertising and promotion campaigns

Call centers and customer service operations

FY2018 FY2019


There is no one department that emerges as responsible for compliance with GDPR. Figure 17 lists a variety of departments that potentially could be responsible for GDPR compliance. IT security, compliance and legal departments are leading compliance efforts in the organizations represented in this research.

Figure 17. What department is most responsible for GDPR compliance?

1%

2%

4%

8%

8%

17%

19%

20%

21%

0% 5% 10% 15% 20% 25%

Finance and accounting

Internal audit

Privacy

Risk management

Data Protection Office

IT

Legal

Compliance

IT security


A surprisingly high percentage of respondents appointed a data protection officer (DPO) under GDPR, while about half of the respondents say they appointed an EU representative. According to Figure 18, some 90% of respondents say their organizations appointed a GDPR DPO and 54% of respondents say their organizations appointed an EU representative.

This is a notable result because there are criteria for appointing a DPO and an EU representative that not all organizations would presumably meet. The majority of organizations that did appoint a DPO and/or an EU representative appointed an internal individual rather than an external individual.

Figure 18. How did your company prepare for compliance with GDPR? More than one response permitted

46%

54%

54%

55%

57%

64%

90%

41%

57%

62%

92%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Invested in new technologies or services to prepare forthe new requirements

Created a data inventory of the data we held that wassubject to GDPR*

Appointed a representative under GDPR*

Created a data map showing data flow and processes ofpersonal data under GDPR*

Allocated budget specifically for compliance with GDPR

Conducted an assessment of our ability to comply withthe regulations

Appointed a data protection officer under GDPR

* Not a response in FY2018

FY2018 FY2019


Since GDPR, organizations are conducting more data protection impact assessments (DPIAs). As part of their efforts to achieve and maintain compliance, organizations have increased the number of DPIAs from an average of approximately three to five, as shown in Figure 19.

Figure 19. How many DPIAs did organizations conduct before and after the introduction of GDPR? Extrapolated values presented

2.94

4.95

1.00

1.50

2.00

2.50

3.00

3.50

4.00

4.50

5.00

5.50

Data protection impact assessments conductedbefore GDPR

Data protection impact assessments conductedafter GDPR


Organizations are hiring outside counsel to help or conduct DPIAs. Forty-six percent of respondents reported that their organization hired outside counsel mainly to conduct DPIAs, as shown in Figure 20. As discussed previously, organizations have been conducting more DPIAs since GDPR went into effect.

Figure 20. Has your organization hired outside counsel since the introduction of GDPR?

46%49%

5%

46%50%

4%

0%

10%

20%

30%

40%

50%

60%

Yes No Unsure

FY2018 FY2019


According to Figure 21, of these respondents, 68% have hired outside counsel to conduct data inventory/privacy impact assessments. This is followed by 56% of respondents who say counsel is engaged to contact data protection authorities and 54% of respondents who say it is to mitigate risk.

Figure 21. If your organization has hired outside counsel since the introduction of GDPR, why? More than one response permitted

2%

23%

34%

39%

43%

49%

49%

54%

56%

68%

3%

23%

34%

39%

46%

51%

55%

55%

68%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Other

Complex language of GDPR

International data transfers

Data breach

To establish client-attorney or litigation privilege*

Establishing consent mechanisms

Right to be forgotten

Overall risk mitigation

Contacting data protection authorities

Data inventory/privacy impact assessment

* Response not available in FY2018

FY2018 FY2019


ONGOING EFFORTS TO MAINTAIN COMPLIANCE

The barriers to maintaining GDPR compliance remain unchanged since 2018’s study. As shown in Figure 22, perceptions about barriers have not changed since 2018. The top barriers are the need to make comprehensive changes in business practices (69% of respondents), unrealistic demands from the regulations and regulator (53% of respondents), and too little time to devote to maintaining compliance (52% of respondents).

Figure 22. What are the barriers to maintaining GDPR compliance? Three responses permitted

3%

22%

29%

34%

38%

52%

53%

69%

3%

22%

30%

36%

36%

55%

54%

64%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Other

The lack of privacy or security experts knowledgeableabout GDPR

The lack of experts knowledgeable about how to respondto a breach involving EU personal data

Insuff icient budget to invest in appropriate securitytechnologies

Insuff icient budget to invest in additional staffing

Too little time

Unrealistic demands from the regulation/regulator

The need to make comprehensive changes in businesspractices

FY2018 FY2019


Concerns about non-compliance also have not changed. As shown in Figure 23, respondents continue to worry most about the fines and penalties they could receive from non-compliance and the extended data protection rights for individuals, including the “right to be forgotten.”

Figure 23. Top concerns if organizations fail to maintain compliance? More than one response permitted

26%

28%

35%

38%

66%

27%

26%

43%

40%

72%

0% 10% 20% 30% 40% 50% 60% 70% 80%

Direct legal compliance obligations for “data processors”

New restrictions on profiling and targeted advertising

New data breach reporting obligations

Extended data protection rights for individuals, including the “right to be forgotten”

New penalties of up to 10 to 20 million euros or 2 to 4%of annual worldwide revenue, whichever is greater

FY2018 FY2019


BUDGETS AND INVESTMENTS IN GDPR

Most organizations allocate budget specifically for compliance with GDPR. Sixty-one percent of respondents say their organization has a budget for GDPR activities. The average budget is $13.6 million, a slight increase from $13.2 million allocated last year. As shown in Figure 24, the majority believe the allocation will be renewed annually (35% of respondents) or continue indefinitely (24% of respondents).

Figure 24. Do you believe this is a one-time budget allocated to GDPR compliance?

Managed services continue to receive the greatest amount of funding. Table 1 shows the allocation of organizations’ GDPR budget. Respondents were asked to allocate 100 points to each area of spending. Since 2018, the allocation has not changed. Management services, personnel and technologies are the primary areas receiving funding.

Personnel and technologies are in the top three areas to receive funding. Almost half of organizations represented in this research (48% of respondents) are hiring an average of almost four more employees to provide ongoing assistance with GDPR.

38%

33%

22%

7%

34% 35%

24%

6%

0%

5%

10%

15%

20%

25%

30%

35%

40%

45%

Yes, one-time allocation No, the budget will berenewed annually

No, the budget will continueindefinitely

Unsure

FY2018 FY2019


TABLE 1: SEVEN AREAS FOR GDPR BUDGET FY2019 FY2018

Managed services 28 28

Personnel 17 18

Technologies 17 17

Consultants 11 10

Business process engineering 11 10

Outside law yers 9 9

Training 7 7

Total allocation for the GDPR budget 100 100

Earmarking for binding corporate rules (BCRs) and Privacy Shield has decreased since last year. According to Figure 25, only 26% of respondents say they have funds for BCRs and only 19% have funds for Privacy Shield.

Figure 25. Does your organization earmark funding for binding corporate rules and Privacy Shield? Yes responses presented

33%

23%

26%

19%

0%

5%

10%

15%

20%

25%

30%

35%

Earmarked funding for binding corporate rules Earmarked funding for Privacy Shield

FY2018 FY2019


GDPR AND DATA TRANSFER MECHANISMS

Similar to the 2018 research, the top two mechanisms used to transmit EU personal data outside of the European Union are standard contractual clauses and consent. GDPR defines personal data as information relating to an identifiable person who can be directly or indirectly identified by reference to an identifier. Figure 26 lists the various mechanisms that can be used to transmit personal data. Seventy-seven percent of respondents say they use standard contractual clauses, and 61% say they use consent. The percentage of respondents who say their organizations use Privacy Shield has declined from 25% in 2018 to 15% in 2019.

Figure 26. Mechanisms used to transmit EU personal data outside of the European Union More than one response permitted

10%

15%

17%

33%

42%

42%

61%

77%

9%

25%

19%

29%

41%

43%

67%

83%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

None of the above

Privacy Shield

Binding corporate rules

Certification or seal framework to be determinedunder GDPR

Other statutory derogations, such as fulfillment ofcontract

Adequacy

Consent

Standard contractual clauses

FY2018 FY2019


Forty-six percent of respondents say since GDPR they have changed their data transfer mechanisms. Of these respondents, 44% say they changed their mechanism to a certification or seal framework to be determined under GDPR and 34% say they changed to standard contractual clauses, as shown in Figure 27. The percentage of respondents who say their organization now use a seal or certification program is high considering few exist to date.

Figure 27. What mechanisms did you change to after GDPR? More than one response permitted

13%

16%

24%

27%

30%

33%

34%

44%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

None of the above

Other statutory derogations, such as fulfillment of contract

Binding corporate rules

Adequacy

Consent

Privacy Shield

Standard contractual clauses

Certification or seal framework to be determined underGDPR


PART 4. COUNTRY SPECIFIC DIFFERENCES

As discussed previously, 1,263 respondents from the United States (544), Europe (371), China (102) and Japan (246) participated in this study. In this section, we present a few differences among the countries represented in this research.

UNITED STATES AND EUROPE

More than half of the US company respondents apply GDPR data subject rights to both US and EU employees. As shown in Figure 28, 51% of US organizations surveyed say they give their US and EU employees the same rights under GDPR. European organizations take a slightly different approach, with only 43% of respondents saying their organizations apply GDPR data subject rights to both US and EU employees. Chinese and Japanese respondents do so at a lesser rate (39% and 28%, respectively).

Figure 28. Does your organization apply GDPR data subject rights to US employees in addition to EU employees?

51%

43%39%

28%

0%

10%

20%

30%

40%

50%

60%

US EU JP CH

US EU JP CH


As shown in Figure 29, the majority of organizations in all countries that provide GDPR data subject rights to their US employees do so because they want to take a global approach. European respondents are much more likely to believe the application of data rights to US employees is required by GDPR (68%).

Figure 29. Why does your organization apply GDPR data subject rights to US employees? More than one response permitted

30%

30%

46%

54%

33%

35%

68%

65%

40%

26%

43%

63%

38%

37%

49%

57%

0% 10% 20% 30% 40% 50% 60% 70% 80%

We are doing it voluntarily

We only have a small number of US employees

We believe it is required by GDPR

We want to apply the same data subject rights globally,not just the European Union

US JP EU CH


GDPR AND THE CALIFORNIA CONSUMER PRIVACY ACT (CCPA)

More US organizations say compliance with GDPR will assist in their compliance with the California Consumer Privacy Act (CCPA). According to Figure 30, almost half of the US respondents (46%) say compliance with GDPR helps with their compliance with the forthcoming CCPA and other US state privacy laws.

In contrast, only 30% of European respondents say this is the case. Forty-three percent of US respondents and 33% of European respondents say compliance with the CCPA and other US state privacy laws will cause their organization to re-evaluate its compliance position under GDPR.

Figure 30. The impact of GDPR on compliance with the California Consumer Privacy Act (CCPA) Strongly agree and Agree responses combined

29%

27%

33%

30%

41%

35%

43%

46%

0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50%

Compliance with the California Consumer Privacy Act(CCPA) and other US state privacy laws will cause our

organization to re-evaluate its compliance position underGDPR

Compliance with GDPR will assist with our compliancewith the California Consumer Privacy Act (CCPA) and

other US state privacy laws

US JP EU CH


PART 5. CHINESE AND JAPANESE ORGANIZATIONS’ RESPONSE TO GDPR: NOT FULLY PREPARED

Results of this research concerning Chinese and Japanese organizations’ compliance with GDPR indicates that awareness needs to be raised. For multinationals with operations in China and Japan, the differences revealed in this survey could be seen as an opportunity to adjust their global cybersecurity and data compliance programs.

CHINA

Only 29% of Chinese respondents report that their organizations are fully compliant with GDPR. This is reflected in multiple aspects, which leaves a lot of room for improvement for Chinese enterprises, especially in response to data breaches and data transfers. It is also notable that 50% of Chinese respondents claim that GDPR is as difficult to implement as other data privacy and security requirements (e.g., China’s Cybersecurity Law), which also serves as a reminder for international enterprises with operations in China.

In contrast to respondents in the United States and Europe, Chinese respondents report their organizations have slightly different measures to prevent and respond to data breaches. Only 25% of Chinese respondents say their organizations use external cybersecurity services to investigate data breaches. In contrast, 44% of US and 40% of European respondents say they use an external cybersecurity service to investigate data breaches or cyberattacks. Of these Chinese respondents, only 41% say such investigations are conducted through litigation or under the protection of attorney-client privilege compared to 65% of US respondents, 56% of European respondents and 55% of Japanese respondents.

Sixty-five percent of Chinese respondents say their organizations regularly conduct testing, assessments or evaluation of the effectiveness of technical and organizational measures for ensuring the security of the processing. Fifty-four percent of respondents in Europe, 44% of respondents in the United States and 43% of respondents in Japan take such steps. Differences in the regulatory system for responding to data breaches between Europe and China could account for the difference in responses. For example, China’s Cybersecurity Law requires technicians and managerial teams to follow certain requirements that are different from the GDPR.

Chinese respondents’ awareness in complying under GDPR also lags behind Western respondents. Fewer Chinese respondents take measures in several key areas to maintain its compliance compared to respondents in the United States and Europe, including introducing or updating document retention processes (29% of respondents) and creating a data map showing data flow and process (45% of respondents).

Only 2% of Chinese respondents say their organizations evaluate their relationships with third-party vendors. The most likely reason behind that is the differences in data transfer rules under Chinese laws and GDPR. Currently the detailed data cross-border transfer requirements under Chinese law are still pending, and such uncertainties in legislation could account for the major differences.


Responses from Chinese organizations regarding cybersecurity insurance are not as active compared to US and European organizations. Around one-in-five Chinese respondents (19%) report that they had insurance covering cyber risks, much lower than what respondents in the United States (35%) and Europe (29%) report. Of these respondents, 15% are not sure what types of incidents that their cyber insurance policies should cover, which is higher than the percentages from any other jurisdiction.

JAPAN

Only about one-third of Japanese respondents say their organizations are fully compliant with GDPR. Thirty-two percent of Japanese respondents say they are fully compliant with GDPR, compared to 55% of European respondents and 43% of US respondents. Twenty-three percent of Japanese respondents report they will achieve compliance by the end of 2019. This leaves a lot of room for improvement for Japanese enterprises, especially in response to data breaches and data transfers.

It is also interesting that 41% of Japanese respondents say that GDPR is as difficult to implement as other data privacy and security requirements (e.g., Japanese Data Protection Legislation or China’s Cybersecurity Law), which also serves as a reminder for international enterprises with multi-jurisdiction operations.

Similar to what respondents in the United States and Europe report, Japanese respondents say their organizations adopt measures to prevent and respond to data breaches. Forty-seven percent of Japanese respondents use external cybersecurity services to investigate data breaches, which is higher than what respondents in the United States (44% of respondents), Europe (40% of respondents) and China (25% of respondents) report. Of these respondents, 55% of Japanese respondents say such investigations are conducted through litigation or under the protection of attorney-client privilege compared to 65% of US respondents, 56% of European respondents and 41% of Chinese respondents.

Forty-three percent of Japanese respondents regularly conduct testing, assessments or evaluation of the effectiveness of technical and organizational measures for ensuring the security of the processing. More respondents in China (65%), Europe (54%) and the United States (44%) say they take such security actions. Differences in the regulatory system for responding to data breaches under China, the United States, Europe and Japan could account for the difference in responses.

Japanese respondents’ compliance with other GDPR compliance aspects lags behind the United States and Europe. Japanese respondents say their organizations take measures in several key areas to maintain compliance compared to what respondents in the United States and Europe report. These actions by Japanese organizations include introducing or updating document retention require requirements (39% of respondents) creating a data inventory (46% of respondents) and investing in new technologies or services (39% of respondents), but this was less than reported for US, European and Chinese organizations.


Thirty percent of Japanese respondents say they evaluate their relationships with third-party vendors, which is the same as what European respondents report. The most likely reason behind that is the concern to secure data flows between Japan and Europe until the enactment of the reciprocal European adequacy decision, which has now been finalized.

Responses from Japanese organizations regarding cybersecurity insurance, are similar to Western organizations. Around a third of Japanese respondents (31%) report that their company has purchased insurance covering cyber risks. Only 8% of Japanese respondents are not sure what types of incidents that their cyber insurance policies cover, which is the lowest percentage of all jurisdictions.

PART 6. METHODS

A sampling frame of 40,767 individuals who work in a variety of departments, including IT, IT security, compliance, legal, data protection office and privacy, were selected as participants in the research. Respondents are located in the United States, Europe, China and Japan. Table 2 shows 1,505 total returns. Screening and reliability checks required the removal of 242 surveys. Our final sample consisted of 1,263 surveys, or a 3.1% response rate.

TABLE 2. SAMPLE RESPONSE US EU CH JP TOTAL

Total sampling frame 15,300 11,001 4,516 9,950 40,767

Total returns 612 430 165 298 1,505

Rejected or screened surveys 68 59 63 52 242

Final sample 544 371 102 246 1,263

Response rate 3.6% 3.4% 2.3% 2.5% 3.1%

Pie Chart 1 reports the current position or organizational level of the respondents. More than half of the respondents (59%) reported their current position as supervisory level or above and 30% of respondents reported their current position level as technician.


Pie Chart 1. Current position or organizational level

As Pie Chart 2 reveals, 48% of the respondents report to the CIO, followed by the CSO/CISO (21% of respondents), and compliance leader (14% of respondents).

Pie Chart 2. Direct reporting channel

Seventy-two percent of the respondents are from organizations with a global headcount of more than 1,000 employees.

6%

16%

20%

17%

30%

7%4%

Senior executive/VP

Director

Manager

Supervisor

Technician

Staff member

Consultant

48%

21%

14%

5%

5%4% 2%

To the CIO

To the CSO/CISO

Compliance leader

To the CTO

To the general counsel

To the CPO

To the CFO


Pie Chart 3. Full-time headcount of the global organization

Pie Chart 4 reports the primary industry classification of respondents’ organizations. This chart identifies financial services (18% of respondents) as the largest segment, which includes banking, investment management, insurance, brokerage, payments and credit cards. This is followed by industrial/manufacturing (13% of respondents), public sector (11% of respondents), health and pharmaceuticals (11% of respondents), services sector and retail (both at 10% of respondents each).

Pie Chart 4. Primary industry focus

12%

16%

31%

25%

11%

5%

Fewer than 500 people

500 to 1,000 people

1,001 to 5,000 people

5,001 to 25,000 people

25,001 to 75,000 people

18%

13%

11%

11%10%

10%

9%

6%

4%

2% 2% 2% 2%Financial servicesIndustrial/manufacturingPublic sectorHealth & pharmaceuticalsServicesRetailTechnology & softwareEnergy & utilitiesHospitality & leisureTransportationEntertainment & mediaEducation & researchOther


PART 7. CAVEATS TO THIS STUDY

There are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings. The following items are specific limitations that are germane to most web-based surveys.

• Non-response bias: The current findings are based on a sample of survey returns. We sent surveys to a representative sample of individuals, resulting in a large number of usable returned responses. Despite non-response tests, it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instrument.

• Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is representative of individuals involved in IT, IT security, compliance, legal, data protection office and privacy. We also acknowledge that the results may be biased by external events, such as media coverage. Finally, because we used a web-based collection method, it is possible that non-web responses made by mailed survey or telephone call would result in a different pattern of findings.

• Self-reported results: The quality of survey research is based on the integrity of confidential responses received from subjects. While certain checks and balances can be incorporated into the survey process, there is always the possibility that a subject did not provide accurate responses.


APPENDIX: DETAILED SURVEY RESULTS

The following tables provide the frequency or percentage frequency of responses to all survey questions contained in this study. All survey responses were fielded and collected in March 2019.

SURVEY RESPONSE US EU CH JP FY2019

Total sampling frame 15,300 11,001 4,516 9,950 40,767

Total survey returns 612 430 165 298 1,505

Rejected surveys 68 59 63 52 242

Final sample 544 371 102 246 1,263

Response rate 3.6% 3.4% 2.3% 2.5% 3.1%

PART 1. SCREENING QUESTIONS

S1. IS YOUR COMPANY SUBJECT TO GDPR? US EU CH JP FY2019

Yes 91% 96% 49% 70% 85%

No (Stop) 9% 4% 51% 30% 15%

Total 100% 100% 100% 100% 100%

S2. HOW FAMILIAR ARE YOU WITH GDPR? US EU CH JP FY2019

Very familiar 39% 53% 25% 34% 41%

Familiar 50% 40% 26% 30% 41%

Not familiar 11% 7% 49% 36% 18%

No know ledge (stop) 0% 0% 0% 0% 0%

Total 100% 100% 100% 100% 100%


PART 2. BACKGROUND

Q1A. WHAT BEST DESCRIBES YOUR ORGANIZATION’S LEVEL OF COMPLIANCE WITH GDPR? US EU CH JP FY2019

Fully compliant 43% 55% 29% 32% 43%

Partially compliant 31% 27% 33% 39% 32%

Not compliant as yet 26% 18% 38% 29% 25%

Total 100% 100% 100% 100% 100%

Q1B. WHEN DID YOU ACHIEVE COMPLIANCE WITH GDPR? US EU CH JP FY2019

Before May 25, 2018 14% 18% 14% 10% 14%

May 25, 2018 26% 21% 18% 26% 24%

After May 25, 2018, but before December 31, 2018 24% 35% 29% 41% 31%

2019 36% 26% 39% 23% 31%

Total 100% 100% 100% 100% 100%

Q1C. WAS THE LENGTH OF TIME TO ACHIEVE COMPLIANCE WITH GDPR AS YOU EXPECTED? US EU CH JP FY2019

Compliance took less time than expected 16% 24% 20% 11% 18%

Compliance took about the time expected 23% 25% 40% 39% 28%

Compliance took more time than expected 34% 26% 31% 27% 30%

Compliance took a lot longer than expected 27% 25% 9% 23% 24%

Total 100% 100% 100% 100% 100%


Q2. HOW SIGNIFICANT WAS THE IMPACT OF COMPLIANCE ON YOUR ORGANIZATION’S OPERATIONS? US EU CH JP FY2019

Signif icant impact 28% 31% 25% 42% 31%

Some impact 41% 37% 35% 30% 37%

Nominal impact 16% 19% 28% 18% 18%

No impact 15% 13% 12% 10% 13%

Total 100% 100% 100% 100% 100%

Q3. RELATIVE TO OTHER DATA PRIVACY AND SECURITY REQUIREM ENTS, HOW DIFFICULT WAS GDPR TO IMPLEMENT?

US EU CH JP FY2019

More diff icult 45% 33% 29% 37% 39%

Equally diff icult 35% 46% 50% 41% 41%

Less diff icult 16% 19% 16% 18% 17%

Cannot determine 4% 2% 5% 4% 3%

Total 100% 100% 100% 100% 100%

Q4. WHAT DEPARTMENT IS MOST RESPONSIBLE FOR GDPR COMPLIANCE? PLEASE SELECT ONLY ONE CHOICE. US EU CH JP FY2019

Privacy 5% 4% 0% 1% 4%

Data protection off ice 7% 11% 6% 7% 8%

Compliance 20% 23% 14% 20% 20%

Internal audit 2% 3% 2% 0% 2%

Risk management 8% 7% 6% 8% 8%

Finance and accounting 1% 2% 2% 0% 1%

Legal 19% 15% 26% 21% 19%

IT 16% 17% 23% 19% 17%

IT security 22% 18% 21% 24% 21%

Total 100% 100% 100% 100% 100%


Q5. WHAT DEPARTMENTS/FUNCTIONS ARE AFFECTED BY COMPLIANCE WITH GDPR? PLEASE SELECT ALL THAT APPLY.

US EU CH JP FY2019

Marketing 68% 56% 43% 71% 63%

Sales 48% 44% 35% 50% 46%

Call centers 60% 51% 61% 55% 56%

IT 71% 63% 60% 65% 67%

R&D 25% 23% 10% 19% 22%

Manufacturing 36% 40% 38% 42% 39%

Human resources 67% 72% 39% 59% 65%

Logistics/supply chain 69% 58% 59% 62% 64%

Legal 57% 46% 54% 50% 52%

Finance and accounting 16% 19% 8% 15% 16%

Other 3% 2% 2% 1% 2%

Total 520% 474% 409% 489% 491%

Q6. IF YOUR ORGANIZATION IS NOT BASED IN THE EU, TO WHAT EXTENT ARE YOUR PROCESSES OR BUSINESS UNITS SUBJECT TO GDPR COMPLIANCE?

US EU CH JP FY2019

All of our processes or business units are subject to GDPR 44% 69% 29% 36% 49%

Some of our processes or business units are subject to GDPR 50% 26% 68% 60% 46%

Unsure 6% 5% 3% 4% 5%

Total 100% 100% 100% 100% 100%


Q7A. DOES YOUR ORGANIZATION APPLY GDPR DATA SUBJECT RIGHTS TO US EMPLOYEES, IN ADDITION TO EU EMPLOYEES?

US EU CH JP FY2019

Yes 51% 43% 28% 39% 44%

No 41% 50% 64% 52% 48%

Unsure 8% 7% 8% 9% 8%

Total 100% 100% 100% 100% 100%

Q7B. IF YES, WHY DOES YOUR ORGANIZATION APPLY GDPR DATA SUBJECT RIGHTS TO US EMPLOYEES? PLEASE SELECT ALL THAT APPLY.

US EU CH JP FY2019

We believe it is required by GDPR 49% 68% 46% 43% 53%

We are doing it voluntarily 38% 33% 30% 40% 36%

We w ant to apply the same data subject rights globally, not just the European Union 57% 65% 54% 63% 60%

We only have a small number of US employees 37% 35% 30% 26% 34%

Other 2% 1% 3% 2% 2%

Total 183% 202% 163% 174% 185%

Q8. HAS YOUR ORGANIZATION APPOINTED ANY OF THE FOLLOWING? US EU CH JP FY2019

An internal data protection off icer (DPO) 41% 46% 34% 40% 42%

An external DPO 39% 40% 29% 39% 38%

An internal representative in the European Union, if you are not established in the European Union 26% 32% 31% 30% 29%

An external representative in the European Union, if you are not established in the European Union 25% 19% 21% 24% 23%

None of the above 28% 23% 21% 26% 26%

Total 159% 160% 136% 159% 157%


Q9. DO YOU OFFER GOODS OR SERVICES TO DATA SUBJECTS IN THE EUROPEAN UNION, FOR SALE OR FREE?

US EU CH JP FY2019

Yes 95% 98% 79% 85% 93%

No 5% 2% 21% 15% 7%

Total 100% 100% 100% 100% 100%

Q10. DO YOU TRACK OR OBSERV E THE BEHAVIOR OF EU RESIDENTS IN THE EUROPEAN UNION BY USING COOKIES OR OTHER METHODS?

US EU CH JP FY2019

Yes 63% 49% 49% 60% 57%

No 37% 51% 51% 40% 43%

Total 100% 100% 100% 100% 100%

Q11. TO TRANSMIT EU PERSONAL DATA OUTSIDE OF THE EUROPEAN UNION, WHAT MECHANISMS DOES YOUR COMPANY USE? PLEASE CHECK ALL THAT APPLY.

US EU CH JP FY2019

Standard contractual clauses 80% 79% 69% 73% 77%

Consent 65% 61% 46% 59% 61%

Other statutory derogations, such as fulf illment of contract 43% 44% 41% 39% 42%

Certif ication or seal framew ork to be determined under GDPR 32% 35% 27% 34% 33%

Adequacy 45% 41% 40% 40% 42%

Binding corporate rules (BCRs) 16% 20% 21% 15% 17%

Privacy Shield 17% 14% 12% 13% 15%

None of the above 10% 9% 7% 11% 10%

Total 308% 303% 263% 284% 298%


Q12A. SINCE GDPR WENT INTO EFFECT, DID YOU CHANGE ANY DATA TRANSFER MECHANISMS? US EU CH JP FY2019

Yes 45% 43% 50% 40% 44%

No 48% 51% 44% 53% 50%

Unsure 7% 6% 6% 7% 7%

Total 100% 100% 100% 100% 100%

Q12B. IF SO, TO WHICH MECHANISMS DID YOUR ORGANIZATION CHANGE TO? US EU CH JP FY2019

Standard contractual clauses 37% 34% 25% 33% 34%

Consent 31% 33% 25% 27% 30%

Other statutory derogations, such as fulf illment of contract 16% 15% 15% 20% 16%

Certif ication or seal framew ork to be determined under GDPR 42% 44% 45% 47% 44%

Adequacy 28% 26% 30% 25% 27%

Binding corporate rules (BCRs) 25% 23% 12% 30% 24%

Privacy Shield 32% 31% 39% 35% 33%

None of the above 13% 15% 10% 11% 13%

Total 224% 221% 201% 228% 222%

Q13A. WHAT DO YOU CONSIDER YOUR ORGANIZATION TO BE? US EU CH JP FY2019

Controller 38% 35% 43% 40% 38%

Processor 29% 33% 27% 30% 30%

Both processor and controller 33% 32% 30% 30% 32%

Total 100% 100% 100% 100% 100%


Q13B. IF YOU ARE A PROCESSOR, DID YOU BECOME A CONTROLLER BECAUSE OF GDPR? US EU CH JP FY2019

Yes 35% 31% 35% 36% 34%

No 57% 62% 56% 56% 58%

Unsure 8% 7% 9% 8% 8%

Total 100% 100% 100% 100% 100%

Q14. DOES YOUR ORGANIZATION CONDUCT THE FOLLOWING PRACTICES WITH YOUR OFFICES AND THIRD PARTIES THROUGHOUT THE WORLD? PLEASE CHECK ALL THAT APPLY.

US EU CH JP FY2019

Marketing and customer outreach 85% 87% 100% 65% 83%

Advertising and promotion campaigns 84% 109% 88% 67% 88%

Call centers and customer service operations 88% 81% 97% 99% 89%

Data processing operations including the use of cloud infrastructure 84% 87% 73% 68% 81%

Research and development 70% 63% 65% 68% 67%

Sales management 80% 84% 92% 87% 83%

Payment transaction processing 72% 72% 83% 59% 70%

Data hygiene and quality control 49% 59% 69% 51% 54%

Identity, authentication and security management 71% 64% 60% 60% 66%

Application development and testing 47% 53% 58% 55% 51%

Other (please specify) 4% 4% 4% 3% 4%

Total 733% 763% 786% 682% 736%


Q15A. SINCE MAY 25, 2018, HOW MANY PERSONAL DATA BREACHES DID YOUR ORGANIZATION HAVE THAT WERE REQUIRED TO BE REPORTED UNDER GDPR?

US EU CH JP FY2019

None 48% 48% 55% 54% 50%

1 to 5 34% 40% 30% 31% 35%

6 to 20 11% 8% 9% 9% 10%

More than 20 2% 0% 0% 0% 1%

Unsure 5% 4% 6% 6% 5%

Total 100% 100% 100% 100% 100%

Extrapolated value 2.49 2.24 2.07 2.10 2.31

Q15B. SINCE MAY 25, 2018, HOW MANY FAILURES OF THE CONFIDENTIALITY, INTEGRITY, AVAILABILITY AND RESILIENCE OF SYSTEMS PROCESSING PERSONAL DATA DID YOUR ORGANIZATION HAVE UNDER GDPR?

US EU CH JP FY2019

None 30% 40% 50% 44% 37%

1 to 5 35% 27% 31% 25% 30%

6 to 20 17% 19% 9% 14% 16%

More than 20 14% 8% 5% 11% 11%

Unsure 4% 5% 5% 6% 5%

Total 100% 99% 100% 100% 100%



Q16A. HOW MANY OF THE DATA BREACHES DID YOU REPORT TO A REGULATOR? US EU CH JP FY2019

None 55% 50% 58% 60% 55%

1 to 5 30% 38% 30% 27% 32%

6 to 20 8% 7% 6% 6% 7%

More than 20 1% 0% 0% 0% 0%

Unsure 6% 5% 6% 7% 6%

Total 100% 100% 100% 100% 100%


Q16B. FOR HOW MANY OF THE DATA BREACHES DID YOU RECEIVE FOLLOW-UP INQUIRIES OR INSPECTIONS FROM A REGULATOR?

US EU CH JP FY2019

None 78% 75% 84% 85% 79%

1 to 5 14% 18% 10% 8% 14%

6 to 20 2% 2% 0% 0% 1%

More than 20 0% 0% 0% 0% 0%

Unsure 6% 5% 6% 7% 6%

Total 100% 100% 100% 100% 100%



Q17. WHAT WERE THE ROOT CAUSES OF THESE DATA BREACHES? PLEASE SELECT ALL THAT APPLY. US EU CH JP FY2019

Negligent insider 44% 51% 41% 41% 45%

Malicious insider 15% 11% 8% 12% 13%

Systems glitch 31% 32% 30% 30% 31%

Cyber attack 45% 34% 31% 38% 39%

Outsourcing data to a third party 45% 41% 33% 40% 42%

Data lost in physical delivery 9% 11% 13% 7% 10%

Failure to protect actual documents 18% 21% 14% 18% 19%


Do not know 35% 32% 36% 40% 35%

Total 242% 233% 207% 225% 233%

Q18A. DID YOU USE AN EXTERNAL CYBERSECURITY SERVICE TO INVESTIGATE THE DATA BREACHES OR CYBERATTACKS?

US EU CH JP FY2019

Yes 44% 40% 25% 47% 42%

No 56% 60% 75% 53% 58%

Total 100% 100% 100% 100% 100%

Q18B. IF YES, WAS THE WORK CONDUCTED UNDER LITIGATION OR ATTORNEY-CLIENT PRIVILEGE? US EU CH JP FY2019

Yes 65% 56% 41% 55% 58%

No 35% 44% 59% 45% 42%

Total 100% 100% 100% 100% 100%


Q19. WHAT WERE THE CONSEQUENCES OF THESE DATA BREACHES INVOLVING PERSONAL DATA OF EU INDIVIDUALS? PLEASE SELECT ALL THAT APPLY.

US EU CH JP FY2019

Caused signif icant brand and reputation damage 34% 33% 33% 31% 33%

C-level executive w as forced to resign 4% 0% 0% 0% 2%

Caused signif icant f inancial harm 32% 35% 21% 35% 32%

Made our organization more vulnerable to future breach and other security incidents 25% 29% 19% 24% 25%

Decreased customer and consumer trust in our organization 43% 41% 36% 47% 43%

Negative media coverage 11% 9% 3% 8% 9%

Decline in company’s share price 6% 0% 0% 6% 4%

Loss of productivity 36% 35% 20% 33% 34%

Legal action 41% 32% 19% 25% 33%

Regulatory f ines 12% 13% 0% 6% 10%

Other 2% 0% 0% 1% 1%

Total 246% 227% 152% 216% 227%

Q20. SINCE GDPR WENT INTO EFFECT, WERE ANY OF YOUR ORGANIZATION’S COMPETITORS FINED BECAUSE OF A DATA BREACH?

US EU CH JP FY2019

Yes 12% 15% 5% 10% 12%

No 80% 78% 83% 81% 80%

Don't know 8% 7% 12% 9% 8%

Total 100% 100% 100% 100% 100%


Q21A. DOES YOUR ORGANIZATION HAVE A DATA GOVERNANCE PROGRAM? US EU CH JP FY2019

Yes, a formal program 35% 30% 29% 32% 32%

Yes, an informal or “ad hoc” program 24% 28% 23% 29% 26%

No 41% 42% 48% 39% 41%

Total 100% 100% 100% 100% 100%

Q21B. IF YES, WHAT BEST DESCRIBES THE MATURITY LEVEL OF YOUR ORGANIZATION’S DATA GOVERNANCE PROGRAM?

US EU CH JP FY2019

Early stage – Many data governance program activities have not as yet been planned or deployed 27% 28% 31% 29% 28%

Middle stage – Data governance program activities are planned and defined but only partially deployed 33% 32% 30% 33% 32%

Late-middle stage – Many data governance program activities are deployed across the enterprise 23% 24% 24% 20% 23%

Mature stage – Core data governance program activities are deployed, maintained and/or refined across the enterprise 17% 16% 15% 18% 17%

Total 100% 100% 100% 100% 100%

Q22A. DOES YOUR ORGANIZATION HAVE INSURANCE THAT COVERS CYBER RISKS? US EU CH JP FY2019

Yes 35% 29% 19% 31% 31%

No 30% 34% 45% 34% 33%

No, our organization self-insures its cyber risks (e.g., captive) 35% 37% 36% 35% 36%

Total 100% 100% 100% 100% 100%


Q22B. IF YES, WHAT TYPES OF INCIDENTS DOES YOUR ORGANIZATION’S CYBER INSURANCE POLICY COVER? PLEASE SELECT ALL THAT APPLY.

US EU CH JP FY2019

External attacks by cyber criminals 60% 66% 52% 65% 62%

Malicious or criminal insiders 36% 40% 37% 38% 38%

System or business process failures 33% 32% 26% 33% 32%

Human error, mistakes and negligence 39% 45% 30% 45% 41%

Incidents affecting business partners, vendors or other third parties that have access to your company’s information assets 25% 31% 25% 18% 26%

Terrorism 14% 16% 14% 16% 15%

State-sponsored attacks 31% 27% 30% 31% 30%


Unsure 9% 10% 15% 8% 10%

Total 247% 271% 229% 255% 254%

Q22C. IF YES, DOES THE CYBER INSURANCE POLICY COVER GDPR FINES OR PENALTIES? US EU CH JP FY2019

Yes 44% 45% 35% 40% 43%

No 46% 43% 50% 45% 45%

Unsure 10% 12% 15% 15% 12%

Total 100% 100% 100% 100% 100%


PART 3. ATTRIBUTIONS AND IMPORTANCE OF GDPR

PLEASE RATE EACH STATEMENT ABOUT GDPR USING THE SCALE PROVIDED BELOW EACH ITEM TO EXPRESS YOUR OPINION. STRONGLY AGREE AND AGREE RESPONSES COMBINED.

US EU CH JP FY2019

Q23a. Compliance w ith GDPR w ill assist w ith our compliance w ith the California Consumer Privacy Act (CCPA) and other US state privacy law s.

46% 30% 27% 35% 38%

Q23b. Compliance w ith the California Consumer Privacy Act (CCPA) and other US state privacy law s will cause our organization to re-evaluate its compliance position under GDPR.

43% 33% 29% 41% 39%

Q24. HOW DID YOUR COMPANY PREPARE FOR COMPLIANCE WITH GDPR? PLEASE CHECK ALL THAT APPLY.

US EU CH JP FY2019

Appointed a data protection off icer under GDPR 95% 91% 79% 83% 90%

Appointed a representative under GDPR 64% 40% 45% 56% 54%

Allocated budget specif ically for compliance w ith GDPR 60% 55% 60% 53% 57%

Conducted an assessment of our ability to comply w ith the regulations 65% 68% 67% 55% 64%

Created a data inventory of the data w e held that w as subject to GDPR 54% 58% 54% 46% 54%

Created a data map show ing data f low and processes of personal data under GDPR 52% 57% 45% 60% 55%

Invested in new technologies or services (i.e., analytics and reporting, consent management, encryption) to prepare for the new requirements

51% 47% 40% 39% 46%

Introduced new record keeping requirements 34% 33% 29% 34% 33%

Introduced or updated document retention requirements 43% 41% 37% 39% 41%

Introduced or updated an audit structure for data protection and privacy 48% 38% 54% 42% 44%

Put in place or updated a new data transfer mechanism 25% 24% 17% 20% 23%

Changed or closed our overseas operations 19% 23% 21% 17% 20%

Evaluated and adjusted relationships w ith our third-party vendors 45% 30% 2% 30% 34%


Evaluated and adjusted relationships w ith our customers 36% 41% 31% 37% 37%

Added staff 48% 32% 28% 23% 37%

Other 3% 5% 4% 2% 3%

Total 742% 685% 614% 635% 693%

Q25. USING THE FOLLOWING 10-POINT SCALE, PLEASE RATE YOUR ORGANIZATION’S LEVEL OF READINESS TO RESPOND TO A DATA BREACH INVOLVING PERSONAL DATA OF EU INDIVIDUALS.1 = LOW READINESS AND 10 = HIGH READINESS

US EU CH JP FY2019

1 or 2 9% 7% 9% 7% 8%

3 or 4 21% 16% 19% 17% 19%

5 or 6 25% 30% 30% 25% 27%

7 or 8 22% 25% 22% 27% 24%

9 or 10 23% 22% 19% 23% 22%

Total 100% 100% 100% 100% 100%


Q26A. USING THE FOLLOWING 10-POINT SCALE, PLEASE RATE YOUR ORGANIZATION’S CONFIDENCE TO COMPLY WITH GDPR’S DATA BREACH NOTIFICATION RULES. 1 = LOW CONFIDENCE AND 10 = HIGH CONFIDENCE

US EU CH JP FY2019

1 or 2 10% 8% 11% 9% 9%

3 or 4 19% 15% 16% 21% 18%

5 or 6 27% 28% 26% 26% 27%

7 or 8 22% 26% 28% 23% 24%

9 or 10 22% 23% 19% 21% 22%

Total 100% 100% 100% 100% 100%



Q26B. IF YOU RATED YOUR CONFIDENCE 7 OR HIGHER TO COMPLY WITH GDPR’S DATA BREACH NOTIFICATION RULES, WHY ARE YOU CONFIDENT?

US EU CH JP FY2019

Our organization has the necessary security technologies in place to be able to detect the occurrence of a data breach quickly

60% 55% 47% 66% 59%

Our organization’s incident response plan has proven to be effective in providing timely notif ication 70% 60% 56% 65% 65%

Our organization is able to provide notif ication to the data protection authority w ithin 72 hours 18% 21% 13% 14% 18%

Our organization w ould be able to determine quickly if the breach is unlikely to result in a “risk for the rights and freedoms of natural persons”

23% 21% 20% 25% 23%


None of the above 21% 19% 23% 25% 21%

Total 194% 176% 160% 198% 187%

Q27A. BEFORE THE INTRODUCTION OF GDPR, HOW MANY DATA PROTECTION IMPACT ASSESSMENTS (DPIAS) OF YOUR ORGANIZATION’S EU PERSONAL INFORMATION, AS OUTLINED IN GDPR, DID YOUR ORGANIZATION CONDUCT TO UNDERSTAND HOW INFORMATION IS USED AND WHERE IT IS LOCATED?

US EU CH JP FY2019

None 28% 30% 35% 27% 29%

1 or 2 30% 46% 39% 44% 38%

3 to 5 17% 15% 17% 18% 17%

6 to 10 10% 6% 9% 8% 8%

More than 10 15% 3% 4% 5% 9%

Total 100% 100% 104% 102% 101%



Q27B. SINCE THE INTRODUCTION OF GDPR, HOW MANY DATA PROTECTION IMPACT ASSESSMENTS HAVE YOU CONDUCTED?

US EU CH JP FY2019

None 18% 13% 26% 17% 17%

1 or 2 23% 26% 19% 24% 24%

3 to 5 17% 15% 17% 18% 17%

6 to 10 27% 35% 28% 28% 30%

More than 10 15% 11% 10% 13% 13%

Total 100% 100% 100% 100% 100%


Q28. What are the barriers to maintaining GDPR compliance? Please select the top three barriers. US EU CH JP FY2019

The lack of privacy or security experts know ledgeable about GDPR 23% 19% 22% 23% 22%

The lack of experts know ledgeable about how to respond to a breach involving EU personal data 31% 26% 29% 30% 29%

Insuff icient budget to invest in additional staff ing 40% 37% 40% 32% 38%

Insuff icient budget to invest in appropriate security technologies 35% 33% 27% 37% 34%

The need to make comprehensive changes in business practices 69% 70% 60% 71% 69%

Unrealistic demands from the regulation/regulator 52% 53% 56% 55% 53%

Too little time 48% 59% 64% 49% 52%


Total 300% 300% 300% 300% 300%


Q29. WHAT ARE YOUR TOP CONCERNS ABOUT FAILING TO BE IN COMPLIANCE WITH GDPR? PLEASE SELECT THE TOP THREE CONCERNS

US EU CH JP FY2019

New penalties of up to 10 to 20 million euros or 2 to 4% of annual w orldw ide revenue, w hichever is greater 64% 68% 67% 68% 66%

Managing cultural expectations w hen communicating w ith customers outside of the United States 22% 25% 25% 20% 23%

Increased territorial scope, impacting more businesses including many outside the European Union 17% 22% 22% 19% 19%

Tighter requirements for obtaining valid consent to the processing of personal data 20% 23% 21% 20% 21%

New restrictions on profiling and targeted advertising 28% 28% 20% 30% 28%

New data breach reporting obligations 36% 35% 37% 30% 35%

Direct legal compliance obligations for “data processors” 28% 22% 28% 26% 26%

Extended data protection rights for individuals, including the “right to be forgotten” 40% 36% 44% 37% 38%

Customer loss 16% 14% 16% 15% 15%

Litigation and class actions 17% 13% 10% 20% 16%

No concern 12% 14% 10% 13% 13%

Total 300% 300% 300% 300% 300%


Q30. WHICH OF THE FOLLOWING SECURITY ACTIONS IN GDPR HAS YOUR ORGANIZATION ADDRESSED? PLEASE CHECK ALL THAT APPLY.

US EU CH JP FY2019

The pseudonymisation and encryption of personal data 63% 65% 59% 55% 62%

The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services 48% 54% 46% 51% 50%

The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident 62% 76% 54% 77% 68%

A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing

44% 54% 65% 43% 48%

Auditing and review of third-party contracts 49% 48% 45% 52% 49%

None of the above 11% 15% 9% 12% 12%

Total 278% 312% 277% 289% 290%

PART 4. REPORTING STRUCTURE AND HIRING

Q31A. HAS YOUR ORGANIZATION HIRED OUTSIDE COUNSEL SINCE THE INTRODUCTION OF GDPR? US EU CH JP FY2019

Yes 52% 40% 40% 43% 46%

No 44% 55% 54% 53% 50%

Unsure 4% 5% 6% 4% 4%

Total 100% 100% 100% 100% 100%


Q31B. IF YES, WHY DID YOU HIRE OUTSIDE COUNSEL? PLEASE CHECK ALL THAT APPLY. US EU CH JP FY2019

Complex language of GDPR 24% 25% 26% 20% 23%

Overall risk mitigation 57% 54% 60% 47% 54%

International data transfers 32% 34% 41% 35% 34%

Data breach 35% 42% 37% 43% 39%

Right to be forgotten 49% 47% 49% 51% 49%

Establishing consent mechanisms 47% 56% 54% 40% 49%

Data inventory/privacy impact assessment 68% 61% 75% 76% 68%

Contacting data protection authorities 67% 43% 62% 50% 56%

To establish client attorney or litigation privilege 45% 40% 36% 44% 43%


Total 427% 402% 442% 408% 417%

Q32A. DID YOU HIRE MORE EMPLOYEES TO PROVIDE ONGOING ASSISTANCE WITH GDPR? US EU CH JP FY2019

Yes 55% 44% 50% 43% 49%

No 45% 56% 50% 57% 51%

Total 100% 100% 100% 100% 100%


Q32B. IF YES, HOW MANY FULL-TIME EMPLOYEES DID YOUR ORGANIZATION HIRE? US EU CH JP FY2019

None 23% 39% 30% 28% 29%

1 to 2 25% 21% 13% 30% 24%

3 to 5 21% 18% 22% 23% 21%

6 to 10 22% 17% 25% 11% 19%

More than 10 9% 5% 10% 8% 8%

Total 100% 100% 100% 100% 100%


PART 5. BUDGET

Q33A. HAS YOUR ORGANIZATION ALLOCATED BUDGET SPECIFICALLY FOR COMPLIANCE WITH GDPR? US EU CH JP FY2019

Yes 77% 71% 63% 68% 72%

No 23% 29% 37% 32% 28%

Total 100% 100% 100% 100% 100%

Q33B. IF YES, DID YOUR ORGANIZATION ALLOCATE FUNDING FOR GDPR COMPLIANCE BECAUSE OF A DATA BREACH OR CYBER EXPLOIT?

US EU CH JP FY2019

Yes 50% 39% 42% 53% 47%

No 50% 61% 58% 47% 53%

Total 100% 100% 100% 100% 100%


Q34. APPROXIMATELY, WHAT IS THE DOLLAR RANGE THAT BEST DESCRIBES YOUR ORGANIZATION’S ANNUAL BUDGET FOR COMPLIANCE WITH GDPR?

US EU CH JP FY2019

Less than $500,000 1% 3% 4% 1% 2%

$500,001 to $1 million 6% 8% 12% 8% 8%

$1 to $5 million 11% 13% 16% 14% 13%

$6 to $10 million 18% 29% 25% 25% 23%

$11 to $15 million 18% 26% 22% 22% 22%

$16 to $20 million 17% 11% 15% 16% 15%

$21 to $25 million 18% 7% 5% 9% 12%

$26 to $50 million 6% 2% 1% 4% 4%

More than $50 million 5% 1% 0% 2% 3%

Total 100% 100% 100% 100% 100%

Extrapolated value (US$ millions) $16.42 $11.07 $9.69 $12.64 $13.57

Converted into US dollars

Q35. DO YOU BELIEVE THIS IS A ONE-TIME BUDGET ALLOCATED TO GDPR COMPLIANCE? US EU CH JP FY2019

Yes, one-time allocation 30% 36% 35% 40% 34%

No, the budget w ill be renew ed annually 40% 32% 34% 31% 35%

No, the budget w ill continue indefinitely 23% 27% 23% 23% 24%

Unsure 7% 5% 8% 6% 6%

Total 100% 100% 100% 100% 100%


Q36. THE FOLLOWING TABLE LISTS SEVEN AREAS OF A GDPR BUDGET. PLEASE ALLOCATE 100 POINTS TO DENOTE THE LEVEL OF INVESTMENT IN EACH AREA.

SEVEN AREAS FOR GDPR BUDGET US EU CH JP FY2019

Technologies 17 15 16 17 17

Personnel 16 17 21 16 17

Consultants 11 13 8 11 11

Managed services 26 29 28 32 28

Outside law yers 11 9 10 7 9

Training 7 6 7 7 7

Business process engineering 11 11 11 10 11

Total=100 points 100 100 100 100 100

Q37. WHO CONTROLS THE GDPR BUDGET? PLEASE CHECK ALL THAT APPLY. US EU CH JP FY2019

CEO/COO 2% 1% 0% 0% 1%

Chief compliance off icer (CCO) 8% 9% 4% 7% 8%

General counsel (OGC) 5% 3% 3% 4% 4%

General manager / VP lines of business 20% 18% 21% 19% 19%

Chief risk off icer (CRO) 9% 6% 3% 8% 9%

Chief information off icer (CIO) 43% 41% 50% 49% 44%

Chief information security off icer (CISO/CSO) 21% 17% 11% 19% 19%

Chief technology off icer (CTO) 6% 5% 7% 5% 6%

Data protection off icer (DPO) 8% 9% 7% 12% 9%

Chief privacy off icer (CPO) 8% 13% 2% 3% 8%

No one person is responsible 30% 39% 45% 36% 35%


Total 163% 165% 157% 166% 165%


Q38. DOES YOUR ORGANIZATION EARMARK FUNDING FOR BINDING CORPORATE RULES? US EU CH JP FY2019

Yes 29% 30% 10% 22% 26%

No 71% 70% 90% 78% 74%

Total 100% 100% 100% 100% 100%

Q39. DOES YOUR ORGANIZATION EARMARK FUNDING FOR PRIVACY SHIELD? US EU CH JP FY2019

Yes 21% 22% 6% 14% 19%

No 79% 78% 94% 86% 81%

Total 100% 100% 100% 100% 100%

PART 6. YOUR ROLE

D1. WHAT ORGANIZATIONAL LEVEL BEST DESCRIBES YOUR CURRENT POSITION? US EU CH JP FY2019

Senior executive/VP 6% 6% 8% 7% 6%

Director 16% 17% 12% 14% 16%

Manager 20% 21% 23% 17% 20%

Supervisor 17% 16% 15% 18% 17%

Technician 30% 28% 33% 32% 30%

Staff member 6% 7% 6% 7% 7%

Consultant 4% 3% 3% 4% 4%

Total 100% 100% 100% 100% 100%


D2. WHERE DOES YOUR DEPARTMENT REPORT IN THE ORGANIZATION? US EU CH JP FY2019

To the CFO 1% 2% 3% 3% 2%

To the CTO 6% 4% 5% 6% 5%

To the CIO 46% 50% 52% 48% 48%

To the CSO/CISO 23% 22% 17% 19% 21%

To the CPO 5% 4% 5% 3% 4%

To the general counsel (GC) 6% 4% 4% 3% 5%

Compliance leader 13% 14% 14% 18% 14%

Total 100% 100% 100% 100% 100%

D3. WHAT IS THE WORLDWIDE HEADCOUNT OF YOUR ORGANIZATION? US EU CH JP FY2019

Few er than 500 people 10% 14% 12% 11% 12%

500 to 1,000 people 16% 16% 17% 17% 16%

1,001 to 5,000 people 29% 34% 31% 32% 31%

5,001 to 25,000 people 26% 23% 28% 23% 25%

25,001 to 75,000 people 11% 10% 10% 12% 11%

More than 75,000 people 8% 3% 2% 5% 5%

Total 100% 100% 100% 100% 100%


D4. WHAT INDUSTRY BEST DESCRIBES YOUR ORGANIZATION’S INDUSTRY FOCUS? US EU CH JP FY2019

Agriculture & food services 1% 1% 1% 0% 1%

Communications 2% 0% 3% 1% 1%

Defense & aerospace 1% 0% 0% 1% 0%

Education & research 3% 2% 1% 0% 2%

Energy & utilities 5% 6% 7% 7% 6%

Entertainment & media 2% 3% 1% 2% 2%

Financial services 18% 17% 17% 18% 18%

Health & pharmaceuticals 10% 11% 8% 13% 11%

Hospitality & leisure 3% 5% 5% 4% 4%

Industrial/manufacturing 12% 11% 15% 15% 13%

Public sector 10% 12% 16% 10% 11%

Retail 11% 10% 9% 9% 10%

Services 10% 12% 8% 10% 10%

Technology & softw are 10% 7% 7% 8% 9%

Transportation 2% 3% 2% 2% 2%

Total 100% 100% 100% 100% 100%


Please contact [email protected] or call us at 800.887.3118 if you have any questions.

This research study is for general information purposes only and should not be construed as legal advice or any other advice on any specific facts or circumstances. No one should act or refrain from acting based upon any information herein without seeking professional legal advice. McDermott Will & Emery (McDermott) makes no warranties, representations, or claims of any kind concerning the content herein. McDermott and the contributing presenters or authors expressly disclaim all liability to any person in respect of the consequences of anything done or not done in reliance upon the use of contents included herein. *For a complete list of McDermott entities visit: mwe.com/legalnotices.

(c) 2019 McDermott Will & Emery. All rights reserved. Any use of these materials including reproduction, modification, distribution or republication, without the prior written consent of McDermott is strictly prohibited. This may be considered attorney advertising. Prior results do not guarantee a similar outcome.

KEY CONTACTS

MARK E. SCHREIBER Partner | Boston Co-Chair, Global Privacy & Cybersecurity

mschreiber@mw e.com Tel +1 617 535 3982

ASHLEY WINTON Partner | London Global Privacy & Cybersecurity

aw inton@mw e.com Tel +44 20 7577 6939

PONEMON INSTITUTE Advancing Responsible Information Management Ponemon Institute is dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations. We uphold strict data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from individuals (or company identifiable information in our business research). Furthermore, we have strict confidentiality standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.

mailto:[email protected]

http://mwe.com/legalnotices



keeping pace in the gdpr race: a global view of gdpr progress … · 2019-10-03 · organizations...

Documents