Privacy Governance Report from IAPP and FTI Consulting Finds Nearly Half of Organizations Have Increased Data Privacy Budgets and Priority

Rhea-AI Summary

FTI Consulting and the IAPP have released their Privacy Governance Report for 2020, surveying over 450 privacy professionals. The report highlights increased importance of privacy due to COVID-19, with 40% of respondents emphasizing its significance. Privacy budgets rose by 8% to a mean of $2 million for large companies, while compliance with data privacy laws remains a top concern. However, hiring freezes are prevalent, with 71% of organizations expecting no change in privacy staffing. The report indicates ongoing challenges from legislative changes, including GDPR and CCPA compliance.

Positive

• Privacy budgets increased by 8% in 2020 to an average of $2 million for companies with revenues over $25 billion.
• 40% of respondents indicated privacy has gained importance due to COVID-19, reflecting a shift in organizational priorities.
• An 11% increase in privacy professionals who felt their budget was sufficient to meet obligations compared to 2019.

Negative

• 71% of organizations anticipate no increase in full-time privacy staffing, reflecting a plateau in hiring.
• Approximately 50% of organizations are not fully compliant with GDPR, indicating potential legal risks.
• Two-thirds of respondents are adjusting data transfer mechanisms due to the Schrems II ruling, complicating compliance efforts.

Study Offers Close Look at Global Privacy Program Leadership, Spending and Focus Areas as Organizations Brace for Another Turbulent Year and Intensifying Regulatory Oversight

WASHINGTON, Dec. 17, 2020 (GLOBE NEWSWIRE) -- FTI Consulting, Inc. (NYSE: FCN) and the International Association of Privacy Professionals (“IAPP”) today announced the release of their joint Privacy Governance Report. The report, which is the IAPP’s sixth annual study into global privacy programs and trends, includes findings of an in-depth survey of more than 450 privacy professionals in the U.S. and Europe, examining the impact of COVID-19 and heightening regulation on privacy programs and the privacy profession in general.

Throughout most of 2020, privacy professionals were focused on wrestling with the complicated links between working during a global pandemic and the data protection and privacy risks that have emerged as a result. In parallel, legislative activity on the data privacy front was accelerated among state and federal authorities around the world, creating a confluence of challenges and concerns for privacy professionals to prioritize.

“Privacy will continue to be a big focus for businesses in 2021,” said Jake Frazier, a Senior Managing Director in the Information Governance, Privacy & Security practice within FTI Consulting’s Technology segment. “There’s strong potential for heightened enforcement activities and continued changes to privacy laws in the U.S. and worldwide. In parallel, companies will grapple with maintaining compliance and avoiding privacy control breakdowns amid the complex business challenges that have resulted from the pandemic. The IAPP survey sheds light on the tremendous pressure privacy professionals have been under this year, but it also reveals progress in terms of the ways organizations are now prioritizing and budgeting for important privacy programs.”

Pandemic Concerns Dominate
More than 40% of survey respondents said privacy has become more important within their organization due to COVID-19, while only 5% said it has become less important. Many privacy professionals have also seen their day-to-day responsibilities shift this year, with more than half saying that maintaining and advising on employee privacy has become a priority. Roughly half are also dedicating more time to assessing platforms that support the organization’s remote workforce.

In terms of concerns over data collected from employees for COVID-19 purposes, respondents were split. Approximately 45% said they have conducted a privacy risk assessment or data protection impact assessment on this information, while about half had not.

Growth in Privacy Budgets and Priorities
Privacy spending is up by 8% from 2019, at a mean budget of roughly $2 million for companies with annual revenues of more than $25 billion. Only 9% expect to see a decrease in their privacy budget in 2021, and of those who expect a budget increase, many said it will support new privacy program initiatives, tool acquisition and more privacy training. Moreover, the number of privacy professionals who believe their budget is sufficient to meet their obligations increased 11% over last year.

Approximately four in 10 organizations are working toward a single privacy strategy that can be applied around the globe. Another 30% take an approach that segments data subjects by jurisdiction, handling each data subject’s personal data according to the relevant local law. As was true in 2019, compliance issues—concerning GDPR, the California Consumer Privacy Act (“CCPA”) and beyond—continue to remain the top priorities for privacy professionals. Overall, 30% said that compliance with GDPR remained their top priority.

Legislative and Legal Changes
Data privacy laws picked up momentum around the world this year. While GDPR compliance is up from 2019, half of respondents are still not fully compliant. The CCPA has also triggered notable changes, with 38% of organizations reporting they have modified business practices to avoid selling data, and 32% confirming they have added a “Do Not Sell My Personal Information” link on their website.

The Schrems II ruling from earlier in 2020, which invalidated the Privacy Shield framework for cross-border data transfers, is another issue causing direct and indirect challenges for many companies. Nearly two-thirds of respondents said their organizations transfer data outside of the EU—55% previously relied on Privacy Shield and 62% are adjusting their data transfer mechanism as a result of this year’s ruling. Another 88% use standard contractual clauses as their mechanism for the compliant transfer of data outside of the EU, but many experts agree this approach has been cast into doubt in the wake of Schrems II.

Privacy Leadership Expands, Staffing Plateaus
While privacy hiring has been on the rise in previous years, it has leveled off in 2020. Nearly half of organizations have implemented or plan to implement hiring freezes for privacy and non-privacy roles, and 71% expect the current number of full-time privacy staff to remain the same in the coming year. In 4 out of 10 organizations, the most senior “privacy leader” holds the title of chief privacy officer. Boards of Directors maintain privacy leadership at 13% of organizations.

In terms of job duties, privacy professionals in Europe were more likely than their U.S. counterparts to handle privacy-related monitoring, GDPR compliance and assuring proper cross-border data transfers, while U.S. respondents were more likely to have a focus on ethical decision-making around data use and CCPA compliance.

Download the fully IAPP-FTI Consulting Privacy Governance Report 2020 here.

Methodology
A total of 473 respondents completed the survey this year. Email invitations to take the survey were sent to subscribers of the IAPP’s Daily Dashboard. The survey was fielded in August and September 2020 by Fondulas Strategic Research LLC.

About FTI Consulting
FTI Consulting, Inc. is a global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. With more than 6,200 employees located in 28 countries, FTI Consulting professionals work closely with clients to anticipate, illuminate and overcome complex business challenges and make the most of opportunities. The Company generated $2.35 billion in revenues during fiscal year 2019. For more information, visit www.fticonsulting.com and connect with us on Twitter (@FTIConsulting), Facebook and LinkedIn.

About IAPP
The International Association of Privacy Professionals is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, promote and improve the privacy profession globally. More information about the IAPP is available at iapp.org.

FTI Consulting, Inc.
555 12^th Street NW
Washington, DC 20004
+1.202.312.9100

Investor Contact:
Mollie Hawkes
+1.617.747.1791
mollie.hawkes@fticonsulting.com

Media Contact:
Kate Holmes
+1.206.373.6521
kate.holmes@fticonsulting.com

FAQ

What are the key findings of the 2020 Privacy Governance Report by FTI Consulting and IAPP?

The report reveals that privacy budgets increased by 8% in 2020, with over 40% of privacy professionals reporting greater importance placed on privacy due to COVID-19.

How has COVID-19 affected privacy programs according to the 2020 Privacy Governance Report?

Over 40% of respondents stated that privacy is more important within their organizations due to COVID-19, with many shifting responsibilities to maintain employee privacy.

What challenges do organizations face regarding data privacy compliance?

Organizations struggle with compliance, with 50% not fully compliant with GDPR, and difficulties arising from legislative changes such as the CCPA and the Schrems II ruling.

What trends are seen in privacy budgets in the 2020 Privacy Governance Report?

The report indicates an 8% increase in privacy budgets, with many organizations planning to invest in new privacy initiatives and training.

What percentage of organizations expect to see hiring freezes in privacy roles?

Nearly half of organizations have implemented or plan to implement hiring freezes for privacy roles, with 71% expecting staffing levels to remain unchanged.