Corporate spending on managing privacy risks has risen significantly since last year, with 6 of 10 privacy professionals believing budgets will continue to increase over the coming year.
The latest “Annual Privacy Governance Report,” produced by the International Association of Privacy Professionals and Big Four firm EY, found the average privacy spend among organizations in 2021 is $873,000—a 29 percent increase over the 2020 mean of $676,000. The result was determined by those at the director level or higher of the 473 privacy professionals to respond to the poll.
Of that senior group, 45 percent expect their organizations to hire more privacy staff over the next six months.
The survey found the biggest challenge for most organizations is complying with cross-border data transfer laws, particularly regarding the General Data Protection Regulation (GDPR) and the so-called “Schrems II” decision. The ruling by the EU’s top court that few countries outside the European Union (namely, the United States) could ensure data protection to the same degree resulted in 10 percent of respondent firms choosing to localize European data, stop transfers, or halt related services.
Of those companies surveyed that transfer data from the European Union to a third country, nearly all (94 percent) now use standard contractual clauses as the primary legal means for doing so. Many firms also rely on “supplementary measures” for greater assurance that are either technical (38 percent), contractual (36 percent), or policy-based (26 percent).
Other widely employed methods for data transfers outside the European Union include adequacy decisions (39 percent) and consent clauses (25 percent).
Four in 10 firms said they have data and technology controls in place to restrict the transfer, access, or storage of data by jurisdiction—the most common (55 percent) being a data center in a country requiring localization. Other options include firewalls based on origin and destination IP address, hybrid cloud solutions, geo-restricted access, and data flow blocking.
The report found data breaches is the topic most reported by the privacy team to the board of directors (76 percent), followed by the organization’s level of compliance with privacy and data protection laws (56 percent) and progress on privacy initiatives (52 percent).
While nearly 7 in 10 EU firms rated GDPR compliance as their top priority, only one-fifth of U.S.-based firms did so. State laws didn’t fare much better (19 percent) in the United States.
The survey also found firms taking divergent strategic approaches to global compliance. Nearly half (48 percent) have a single global privacy strategy, while almost a third (32 percent) categorize their data subjects by jurisdiction and handle their data according to local, applicable laws. Some 17 percent of firms pursue a strictly local strategy toward their data subjects.
While privacy teams use a variety of benchmarks to measure the effectiveness of their programs, none are widely adopted. The leaders—the National Institute of Standards and Technology’s Privacy Framework and ISO 27701—are each only used by roughly 1 in 4 respondents. Instead, more than half of organizations rely on their own incident response metrics, privacy or data protection impact assessments, training and awareness, and data subject access request metrics.