Press Release

Privacy Governance Report from IAPP and FTI Consulting Finds Nearly Half of Organizations Have Increased Data Privacy Budgets and Priority

Study Offers Close Look at Global Privacy Program Leadership, Spending and Focus Areas as Organizations Brace for Another Turbulent Year and Intensifying Regulatory Oversight
Press release

Washington, D.C., Dec. 17, 2020 — FTI Consulting, Inc. (NYSE: FCN) and the International Association of Privacy Professionals (“IAPP”) today announced the release of their joint Privacy Governance Report. The report, which is the IAPP’s sixth annual study into global privacy programs and trends, includes findings of an in-depth survey of more than 450 privacy professionals in the U.S. and Europe, examining the impact of COVID-19 and heightening regulation on privacy programs and the privacy profession in general.

Throughout most of 2020, privacy professionals were focused on wrestling with the complicated links between working during a global pandemic and the data protection and privacy risks that have emerged as a result. In parallel, legislative activity on the data privacy front was accelerated among state and federal authorities around the world, creating a confluence of challenges and concerns for privacy professionals to prioritize.

“Privacy will continue to be a big focus for businesses in 2021,” said Jake Frazier, a Senior Managing Director in the Information Governance, Privacy & Security practice within FTI Consulting’s Technology segment. “There’s strong potential for heightened enforcement activities and continued changes to privacy laws in the U.S. and worldwide. In parallel, companies will grapple with maintaining compliance and avoiding privacy control breakdowns amid the complex business challenges that have resulted from the pandemic. The IAPP survey sheds light on the tremendous pressure privacy professionals have been under this year, but it also reveals progress in terms of the ways organizations are now prioritizing and budgeting for important privacy programs.”

Pandemic Concerns Dominate

More than 40% of survey respondents said privacy has become more important within their organization due to COVID-19, while only 5% said it has become less important. Many privacy professionals have also seen their day-to-day responsibilities shift this year, with more than half saying that maintaining and advising on employee privacy has become a priority. Roughly half are also dedicating more time to assessing platforms that support the organization’s remote workforce.

In terms of concerns over data collected from employees for COVID-19 purposes, respondents were split. Approximately 45% said they have conducted a privacy risk assessment or data protection impact assessment on this information, while about half had not.

Growth in Privacy Budgets and Priorities

Privacy spend is up by 8% from 2019, at a mean budget of roughly $2 million for companies with annual revenues of more than $25 billion. Only 9% expect to see a decrease in their privacy budget in 2021, and of those who expect a budget increase, many said it will support new privacy program initiatives, tool acquisition and more privacy training. Moreover, the number of privacy professionals who believe their budget is sufficient to meet their obligations increased 11% over last year.

Approximately four in 10 organizations are working toward a single privacy strategy that can be applied around the globe. Another 30% take an approach that segments data subjects by jurisdiction, handling each data subject’s personal data according to the relevant local law. As was true in 2019, compliance issues—concerning GDPR, the California Consumer Privacy Act (“CCPA”) and beyond—continue to remain the top priorities for privacy professionals. Overall, 30% said that compliance with GDPR remained their top priority.

Legislative and Legal Changes

Data privacy laws picked up momentum around the world this year. While GDPR compliance is up from 2019, half of respondents are still not fully compliant. The CCPA has also triggered notable changes, with 38% of organizations reporting they have modified business practices to avoid selling data, and 32% confirming they have added a “Do Not Sell My Personal Information” link on their website.

The Schrems II ruling from earlier in 2020, which invalidated the Privacy Shield framework for cross-border data transfers, is another issue causing direct and indirect challenges for many companies. Nearly two-thirds of respondents said their organizations transfer data outside of the EU—55% previously relied on Privacy Shield and 62% are adjusting their data transfer mechanism as a result of this year’s ruling. Another 88% use standard contractual clauses as their mechanism for the compliant transfer of data outside of the EU, but many experts agree this approach has been cast into doubt in the wake of Schrems II.

Privacy Leadership Expands, Staffing Plateaus

While privacy hiring has been on the rise in previous years, it has leveled off in 2020. Nearly half of organizations have implemented or plan to implement hiring freezes for privacy and non-privacy roles, and 71% expect the current number of full-time privacy staff to remain the same in the coming year. In 4 out of 10 organizations, the most senior “privacy leader” holds the title of chief privacy officer. Boards of Directors maintain privacy leadership at 13% of organizations.

In terms of job duties, privacy professionals in Europe were more likely than their U.S. counterparts to handle privacy-related monitoring, GDPR compliance and assuring proper cross-border data transfers, while U.S. respondents were more likely to have a focus on ethical decision-making around data use and CCPA compliance.

Download the fully IAPP-FTI Consulting Privacy Governance Report 2020 here.

Methodology

A total of 473 respondents completed the survey this year. Email invitations to take the survey were sent to subscribers of the IAPP’s Daily Dashboard. The survey was fielded in August and September 2020 by Fondulas Strategic Research LLC.

About FTI Consulting

FTI Consulting, Inc. is a global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political & regulatory, reputational and transactional. With more than 6,200 employees located in 28 countries, FTI Consulting professionals work closely with clients to anticipate, illuminate and overcome complex business challenges and make the most of opportunities. The Company generated $2.35 billion in revenues during fiscal year 2019. For more information, visit www.fticonsulting.com and connect with us on Twitter (@FTIConsulting), Facebook and LinkedIn.

About IAPP

The International Association of Privacy Professionals is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, promote and improve the privacy profession globally. More information about the IAPP is available at iapp.org.