m o c . IAPP-EY Annual Privacy 5 b u Governance Report h 2021 t i g Introduction This year’s “Privacy Governance Report,” produced in collaboration with EY and EY Law, analyzes the state of the privacy profession in 2021. It examines the ongoing effects of the COVID-19 pandemic on the privacy profession, including the evolution of remote/hybrid/office work, as well as expectations about the future of business travel, legal compliance issues related to the EU General Data Protection Regulation and California Consumer Privacy Act, as well as the progress of organizations in adapting to new laws, including the California Privacy Rights Act and other U.S. state laws, as well as Brazil’s General Data Protection Law. It also details the organizational architecture of privacy teams, taking an in-depth look at the privacy leadership, reporting structures, and privacy staff and budgets. It covers the privacy team’s core responsibilities, shifting priorities and efforts to benchmark their privacy programs. Finally, it examines the workflow around data subjects and processing vendors, answering questions ranging from how long it takes a typical organization to respond to a data subject request to what assurances most organizations require from vendors that handle their data. m o b u h t i g c . 5 The survey targeted privacy professionals around the world. To reach them, an online survey invitation was sent to subscribers of the IAPP’s “Daily Dashboard” publication. A total of 473 surveys were completed. By Müge Fazlioglu, CIPP/E, CIPP/US IAPP Senior Westin Research Fellow IAPP-EY Annual Privacy Governance Report 2021 ii For privacy pros, this year has been anything but uneventful. In July, the power of the GDPR was on full display when Amazon disclosed that Luxembourg’s National Commission for Data Protection imposed an unprecedented 746 million euro fine on it for alleged violations of the GDPR. Described as “arguably the most important GDPR decision issued,” it is the biggest GDPR fine to date — eclipsing the French Commission nationale de l’informatique et des libertés’ 50million euro fine against Google and more recently the Irish Data Protection Commission’s 225 million euro fine against WhatsApp — and is more than the total of all other GDPR fines that have been imposed since the law went into effect. Act came substantively into force July 1. All the developments also come on the heels of Brazil’s passage last year of the LGPD, compliance with which we examine for the first time in this year’s report. At the state-level in the U.S., privacy laws continue to advance from passage to implementation and enforcement. As CCPA claims work their way through the courts, legislatures in Virginia and Colorado have added to the growing roster of U.S. state-level privacy legislation. Yet, without baseline federal privacy protections in place, the U.S. approach essentially “leaves it to companies to set the rules for privacy” for many new technologies. We see examples of this with recent privacy-centric initiatives rolled out by technology companies, such as Apple’s App Tracking Transparency feature, Google’s Privacy Budget and the pledge by tech companies to invest more in cybersecurity, all of which seek to address consumer privacy concerns even absent a federal, omnibus privacy law. m o b u h t i g Although the GDPR may dominate the headlines, other laws around the globe are shaping up to have as great if not more of an impact on privacy practices worldwide. In August, China adopted the Personal Information Protection Law, which is set to go into effect Nov. 1. Both similar and dissimilar to the GDPR, the passage of China’s new privacy law comes just months after a major cybersecurity reform went through, promising more frequent enforcement against companies operating in China. Another privacy law impacting global businesses, South Africa’s Protection of Personal Information IAPP-EY Annual Privacy Governance Report 2021 c . 5 With so much going on and constantly changing in the world of privacy, we hope you find this year’s “Privacy Governance Report” to provide a consistent, powerful benchmark for your privacy program operations and a unique source of insight into how the privacy profession is evolving today. iii Contents 1 Key Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv 2 Executive Summary . . . . . . . . . . . . . . . . . . .