In addition, half of those transferring certified under Safe Harbor in the past. J1: Does your ... Manufacturing and tec
10
Cross Border Data Transfer
85 IAPP-EY Annual Privacy Governance Report 2016
Cross Border Data Transfer
85
A bit over half of the organizations surveyed transfer data between the EU and the US • In addition, half of those transferring certified under Safe Harbor in the past Transfer Data From EU to US?
Certified Under Safe Harbor?
Don’t know 6%
No 40%
Yes 54%
Yes 50%
No 44%
Don’t know 6%
J1: Does your organization transfer personal information from the European Union to the United States? J2: Did your company certify under Safe Harbor?
86 IAPP-EY Annual Privacy Governance Report 2016
Cross Border Data Transfer 86
Manufacturing and tech firms are significantly more likely than average to transfer data across borders • In addition, cross-border transfer is the norm for organizations with 25K employees or more
% Who Transfer Data From EU to US Manufacturing
96%
75K+ employees
79%
Tech/telecom
74%
25K–74K employees
71%
TOTAL Government
54% 14%
J1: Does your organization transfer personal information from the European Union to the United States?
87 IAPP-EY Annual Privacy Governance Report 2016
Cross Border Data Transfer
87
The vast majority of those transferring data rely on standard contractual clauses as the main mechanism • However, about one-third rely, or intend to rely, on Privacy Shield or BCR (including 55% for BCR among those with 75K employees or more). And half of those say their BCR application has already been approved Mechanism for Data Transfer, Among Those Who Transfer 81%
Standard Contractual Clauses Consent
36%
Privacy Shield
34% 31%
Binding Corporate Rules (BCR)
27%
Other statutory derogations Certification or seal framework TBD under GDPR None
Expected BCR Approval
Already approved, 51%
Within a year, 12% Within 1–3 years, 51% Don’t know, 20%
17% 3%
J5: What mechanism(s) does your company intend to use to transmit data to the U.S.? J6: When do you expect your BCR application to be approved?
88 IAPP-EY Annual Privacy Governance Report 2016
Cross Border Data Transfer 88
8 in 10 organizations who transfer data say they fall under GDPR • Three aspects of GDPR are considered most difficult: right to be forgotten, plus data portability and explicit consent requirements
Whether Fall Under GDPR Scope, Among Those Who Transfer
No, 3%
Don’t know, 16%
Yes, 80%
GDPR Obligation Difficulty
(Mean Score On 0–10 Scale: 0 = Not At All Difficult; 10 = Extremely Difficult) Right to be forgotten
6.1
Data portability
5.7
Gathering explicit consent
5.6
Cross border data transfer
5.1
Breach notification requirements
4.8
Conducting Data Protection Impact Assessments
4.7
Understanding legitimate interest qualifications
4.7
Restrictions on profiling
4.6
Understanding regulatory oversight
4.5
Understanding jurisdictional scope
4.2
Understanding research allowances
3.8
Mandatory DPO requirement
3.7
J7a: Does your organization fall under the scope of the General Data Protection Regulation (GDPR)? J7b: Please rate each of the following legal obligations of the General Data Protection Regulation on a scale from 0-to-10
89 IAPP-EY Annual Privacy Governance Report 2016
Cross Border Data Transfer 89
The most commonly taken steps to prepare for GDPR are developing training and accountability frameworks • About a third each say they’re preparing by boosting their privacy budget or privacy staff Steps Being Taken To Prep for GDPR (Among Those Falling Under GPDR)
Investing in training
50%
Creating new accountability framework
46%
Putting in place new data transfer mechanism
36%
Appointing a DPO
35%
Increasing privacy budget
35%
Increasing privacy staff
34%
Creating new relationship with outside counsel
29%
Investing in technology
28%
Creating new reporting structure
21%
Appointing multiple DPOs
16%
Creating new relationship with consultancies
16%
Certifying employees
15%
Creating new relationship with regulators
15%
Ceasing to do business with EU citizens Nothing
1% 11%
J8: What, if anything, is your organization doing to prepare for the GDPR?
90 IAPP-EY Annual Privacy Governance Report 2016
Cross Border Data Transfer 90
Very few organizations have definitive plans to apply for CBPR in the Asia Pacific region • Among the few who do intend to apply, most don’t expect approval until at least a year from now—or they are aren’t sure Will Apply for CBPR?
Expected CBPR Approval Within a year, 9%
Don’t know, 44% Yes, 7% No, 49%
Already approved, 13%
Within 1–3 years, 35%
Don’t know, 35%
More than three years, 8%
J9: Will your organization apply for Cross Border Privacy Rules (CBPR) to transfer data in the APEC region? J10: When do you expect your CBPR application to be approved?
91 IAPP-EY Annual Privacy Governance Report 2016
Cross Border Data Transfer
91
Looking specifically at non-government, EU firms are more likely than US to transfer data and use BCR % Who Transfer Data from EU to US
Mechanism For Data Transfer 79% 89%
Standard Contractual Clauses 42%
Consent US non-government
62%
21% 36% 31%
Privacy Shield
31% 38%
Binding Corporate Rules (BCR) EU non-government
79%
26% 26%
Other statutory derogations Certification or seal framework TBD under GDPR None US non-gov’t
20% 11% 3% 1%
EU non-gov’t
J1: Does your organization transfer personal information from the European Union to the United States? J5: What mechanism(s) does your company intend to use to transmit data to the U.S.?
92 IAPP-EY Annual Privacy Governance Report 2016
Cross Border Data Transfer
92
EU firms are also more likely to transfer data when we exclude finance/health care, along with government
% Who Transfer Data from EU to US
US, non-government, finance, health care
EU, non-government, finance, health care
68%
78%
J1: Does your organization transfer personal information from the European Union to the United States?
93 IAPP-EY Annual Privacy Governance Report 2016
Cross Border Data Transfer
93
US firms were much more likely to be certified under Safe Harbor, but only 42% intend to use Privacy Shield
Safe Harbor and Mechanism for Data Transfer US w/o Gov’t, Finance, Health
EU w/o Gov’t, Finance, Health
73%
37%
Standard Contractual Clauses
81%
92%
Privacy Shield
42%
32%
Consent
41%
16%
Binding Corporate Rules (BCR)
31%
31%
Other statutory derogations
25%
27%
Certification or seal framework TBD under GDPR
23%
10%
Certified Under Safe Harbor Mechanisms
J2: Did your company certify under Safe Harbor? J5: What mechanism(s) does your company intend to use to transmit data to the U.S.?
94 IAPP-EY Annual Privacy Governance Report 2016
Cross Border Data Transfer
94
The gap between Safe Harbor and Privacy Shield is especially big for companies with 25K–75K employees Safe Harbor and Mechanism for Data Transfer Employee Size, US and EU, Without Gov’t, Finance, Health Under 5K Certified Under Safe Harbor
5K–24.9K 25K–74.9K
75K+
61%
59%
75%
65%
Standard Contractual Clauses
86%
78%
96%
78%
Privacy Shield
43%
44%
26%
43%
Consent
36%
44%
37%
24%
Binding Corporate Rules (BCR)
8%
29%
26%
53%
Other statutory derogations
36%
24%
26%
19%
Certification or seal framework TBD under GDPR
24%
22%
15%
18%
Mechanisms
J2: Did your company certify under Safe Harbor? J5: What mechanism(s) does your company intend to use to transmit data to the U.S.?
95 IAPP-EY Annual Privacy Governance Report 2016
Cross Border Data Transfer
95
That gap is mostly a US phenomenon, with much higher numbers using Safe Harbor vs. Privacy Shield Safe Harbor and Mechanism for Data Transfer Employee Size, US, Without Gov’t, Finance, Health Under 5K Certified Under Safe Harbor
5K–24.9K 25K–74.9K
75K+
77%
69%
80%
67%
Standard Contractual Clauses
88%
69%
96%
75%
Privacy Shield
52%
41%
29%
47%
Consent
38%
55%
42%
28%
Binding Corporate Rules (BCR)
8%
28%
29%
52%
Other statutory derogations
34%
28%
25%
17%
Certification or seal framework TBD under GDPR
22%
31%
17%
20%
Mechanisms
J2: Did your company certify under Safe Harbor? J5: What mechanism(s) does your company intend to use to transmit data to the U.S.?
96 IAPP-EY Annual Privacy Governance Report 2016
Cross Border Data Transfer
96
