As part of the Global Privacy Enforcement Network ‘Sweep’ carried out in 2018 the Data Protection Commission has recently published its national Sweep report (5 March 2019).
The thirty organisations surveyed ranged across the private and public sector including pharma, multinationals, government/local bodies, transport, charity, education and finance.
The Report did not provide details of the size/turnover of the organisations surveyed.
The findings were mixed as regards compliance with the GDPR and the Data Protection Act 2018. On a positive note most organisations had a contact for their Data Protection Officer (where required) shown on their website. Most organisations also had policies and procedures in place in order to respond to complaints from individuals. On a negative note the survey found:
· Only 38% of the organisations had training programmes for staff (new and existing) and refresher training. In light of the rapidly evolving understanding of the GDPR this is somewhat surprising
· Insufficient number of organisations carrying out internal monitoring of their application of the GDPR
· Failure of accountability: a significant number of organisations did not provide evidence of documented processes to assess the risks associated with new technology and products adopted by them (e.g. privacy impact assessments)
· Significant number of organisations did not have a proper inventory of personal data (data mapping) and also failed to maintain a record of data flows
Based on the Report, the DPC is currently assessing what follow up action to take. This may include taking enforcement action. It may be worthwhile for companies in the interim to review their privacy obligations in light of the Report’s findings and to mitigate the risk of any future DPC audit or sanction.