2018 GPEN Sweep: The good, the bad and the takeaway
Every year, the Global Privacy Enforcement Network (GPEN) coordinates a ‘Sweep’, where data protection and privacy regulators around the world analyse the privacy practices of some of their local organisations.
In 2018 a Sweep was conducted by GPEN members on the theme of privacy accountability. The aim was to consider how well organisations had implemented the concept of privacy accountability into their own internal programs and policies.
OVIC participated in this Sweep by contacting a random selection of 32 public sector entities listed on the Victorian Public Sector Commission website. OVIC sent out a short questionnaire to these selected entities, asking them to self-assess their privacy practices over 12 questions.
Here are some of our findings in comparison to the global Sweep results.
- All Victorian organisations had at least one person acting as a privacy officer, responsible for privacy governance and management. Victoria also did better than average here, with 6% of global organisations lacking a privacy officer or equivalent.
- Fewer than average organisations responded to OVIC’s questionnaire. While 53% of organisations around the world responded to this Sweep, only 37.5% of Victorian organisations did.
- Only 50% of the surveyed Victorian organisations had a formal self-assessment or audit process in place, whereas 74% of international organisations had such a process.
- 52% of global organisations indicated that they have a documented incident response plan. OVIC found that only 25% of the responding Victorian organisations had one.
While it is great that every organisation had someone responsible for privacy, a culture of privacy accountability across all employees would be even better. Organisations should consider providing refresher privacy training for all employees, not just during employee induction.
Organisations that want to become even better at privacy should consider implementing an incident response plan, self-assessment or audit process, and an information asset register.
OVIC’s full report on the 2018 GPEN Sweep is available here.
GPEN’s international report on the Sweep is available here. This report collates the results of each participating privacy authority around the world.
An media release by GPEN on the Sweep is available here.
OVIC would like to extend its thanks to all the Victorian public sector organisations that participated in this year’s Sweep.