San Francisco, December 4​, 2018TrustArc, the leading data privacy management company, and the International Association of Privacy Professionals (IAPP), the world’s largest global information privacy community, today announced the results of new benchmarking research that examined the current state of privacy program management. The research shows that critical privacy program activities such as creating data inventories, conducting data protection impact assessments (DPIA), and managing data subject access rights requests (DSAR) are now well established in large and small organizations in both Europe and the United States.

“Among our thousands of members, we know that privacy teams are now reporting on a regular basis to company leadership, and consequently they need to demonstrate results and a return on investment,” said Trevor Hughes, CEO and President of the IAPP. “With this new study, we are helping to identify and develop the metrics that our members require.”

As privacy-related incidents continue to rise, and the number of international and domestic privacy regulations increase, privacy programs need to become more sophisticated and mature. These programs require increased investments in technology and resources for a more proactive and automated approach to privacy management. As privacy teams become more operational, there is a need for metrics that can be benchmarked against time, industry and company size.

To understand the different types of privacy and security operations, who is running them and where,
TrustArc and the IAPP surveyed close to 500 privacy professionals in the U.S., EU, UK and Canada.

Key findings from the survey include:

Data inventory is becoming a standard privacy management practice

  • 83% have created a data inventory of their business processing activities, which is a significant increase from the 43% of respondents who reported engaging in routine inventory and mapping exercises two years ago.
  • 20% are using specialized data inventory and mapping software, up from 10% two years ago

DPIAs are the most common type of privacy assessments

  • 75% of respondents subject to the GDPR report they have completed one or more Data Protection Impact Assessments (DPIA).
  • 46% use technology tools for DPIA management, including 20% who use a specialized software solution; 47% use a manual process, down from 66% two years ago.
  • DPIAs, Privacy Impact Assessments (PIAs), and Vendor / Third Party Risk are the most popular type of privacy assessments, and are used significantly more often than popular security assessments such as ISO 27001 and NIST.

Individual rights / data subject access rights (DSAR) requests impacting most organizations

  • 72% report receiving one or more DSAR requests since GDPR went into effect May 25, 2018.
  • 47% receive 1-10 requests / month; 16% 11-99 requests / month; 9% 100 or more requests / month.
  • 30% have partially automated DSAR management; 3% have fully automated and 57% are using a manual process.

Data breach notification requirements impacting larger companies

  • 27% of respondents from large organizations report filing one or more breach notifications vs 16% from small organizations.

To download the complete findings, please visit: IAPP – TrustArc Research

About the Research

The survey was fielded from October 23 to November 6, 2018 to the IAPP Daily Dashboard newsletter, which reaches 41,000 subscribers from around the globe. The results are based on the response from 496 privacy professionals (primarily in-house, legal and consultants) based in the U.S. (39%), EU/Non-UK (32%), Canada (8%), UK (12%) and Other Countries (9%). Among the many industries represented in the survey, the five top industries were the software and services, business services and supplies, government, health care, and education/academia.

About TrustArc

TrustArc, the leader in privacy compliance and data protection for over two decades, offers an unmatched combination of innovative technology, expert consulting and TRUSTe certification solutions, that together address all phases of privacy program management. The TrustArc Platform, fortified over nine years of operating experience, across a wide range of industries and client use cases, along with our extensive services, leverage deep privacy expertise and proven methodologies, which have been continuously enhanced through thousands of customer engagements. Headquartered in San Francisco, and backed by a global team across the Americas, Europe, and Asia, TrustArc helps customers worldwide demonstrate compliance, minimize risk and build trust. For more information, visit the TrustArc website, blog and LinkedIn.

About the IAPP

The International Association of Privacy Professionals is the largest and most comprehensive globalinformation privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organizationthat helps define, support and improve the privacy profession globally. More information about the IAPPis available at

For media inquiries, please contact:

[email protected]

[email protected]