The 2019 Global Privacy Enforcement Network (GPEN) Sweep found that 84% of respondent organisations said they had systems in place for reporting data breaches, including an appointed team or group responsible for handling breaches.
The Office of the Privacy Commissioner says organisations that voluntarily responded to the Sweep showed a significant awareness about best practices for appropriately responding to data breaches.
However, it says the results need to be tempered by the low response rate from organisations which were contacted to participate. Of the 1145 organisations approached, only 21% (258 organisations) provided substantive responses.
"Survey organisers say there are some possible reasons why the remaining organisations chose not to respond. These included potential concerns from organisations in jurisdictions with mandatory breach reporting about follow up enforcement actions if the Sweep revealed underreporting, or general concerns that responses may highlight non-compliance with data protection laws."
75% of responding organisations reported having procedures that covered key steps such as containment, assessment, evaluation of the risk associated with breaches. 18% of responses in relation to this question indicated that their procedures were poor, suggesting that these policies could be made clearer in order to cover the key steps involved in responding to a data breach.
65% of responding organisations rated their own procedures for preventing the recurrence of a data breach as ‘very good’ or ‘good’. However, the rest in this category had either poor procedures in place or failed to specify.
Some organisations without internal policies indicated that they relied on the guidance published by their relevant data protection authority where needed.
Data breach notification is mandatory in 12 of the 16 jurisdictions who participated in the Sweep. Almost all organisations that responded were aware of the relevant legal framework, including reporting thresholds and timeframes. Only five of those organisations demonstrated poor understanding of the legal framework.
Many organisations were found to fall short in terms of monitoring internal performance in relation to data protection standards, with more than 30% of responding organisations reporting having no programmes in place to conduct self-assessments and/or internal audits.
Only 45% of the organisations that responded indicated that they maintain up-to-date records of all data breaches or potential breaches.