“It is important that organizations have appropriate technical and organisational measures in place. This includes having clear data protection policies, taking a ‘data protection by design and default’ approach and continuing to review and monitor performance and adherence to data protection rules and regulations” – says Adam Stevens, Head of Intelligence at the UK Information Commissioner’s Office. (ICO).
In a sweep conducted by the ICO, as part of the Global Privacy Enforcement Network’s (GPEN) annual intelligence gathering operation, 356 companies in 18 countries were contacted.
Findings include:
- 25 percent of companies had no programs in place to conduct self-assessments and/or internal audits.
- More than 50 percent of companies indicated that they have documented incident response procedures, and maintain up-to-date records of all data security incidents and breaches. However, some indicated that they have no processes in place to respond appropriately in the event of a data security incident.
- Nearly 75 percent of companies appointed an individual or team to ensure compliance with relevant data protection rules and regulations.