Companies have moved toward GDPR compliance, handling data protection impact assessments (DPIA) and data subject rights requests (DSAR), according to a study by TrustArc and the International Association of Privacy Professionals (IAPP).
Of almost 400 firms surveyed, 72% have received one or more data access requests since GDPR went into effect in May. Only 9% have received more than 100 requests per month, but 47% have received between one and 10 requests, and 16% have received between 11 and 99.
At the same time, 83% have created a data inventory of their business processing activities, compared with 43% two years ago. That includes 75% of those subject to the GDPR.
GDPR applies to 83% of the responding companies. The study also found that “many organizations have not yet been forced to engage with some of its major obligations.”
Data inventory and mapping are still performed manually/informally by 45%, using email, spreadsheets, etc. But that total is down from 62% in 2016. In contrast, 20% are using specialized data inventory and mapping software.
The study also shows that 30% have partially automated DSAR management; 3% have fully automated it and 57% are using a manual process.
The median organization receives 7 DSARs per million data subjects per month.
On a positive note, 75% have sent no data breach notifications. However, 3% have sent four or more, 4% have sent two, and 8% have sent one, while another 8% say they don’t know.