New research has indicated that over 60% of businesses have not fully prepared for the implementation of the GDPR.
Set to come into effect on 28 May 2018, the General Data Protection Regulation (GDPR) will change the existing data protection regime in the EU.
Complying with these provisions is essential, with a two-tiered sanction regime applying to any organisation which breaches them; the rules which are considered most fundamental could have fines up to €20 million attached to them.
Despite these severe consequences, a recent survey has indicated that the majority of firms are behind on their preparations, with over half yet to conduct an audit for the purposes of the GDPR.
Undertaken by PL&B, the survey was based on the responses of 251 international and private businesses. It looked at the steps that the businesses had taken to prepare for the GDPR, highlighting the areas where businesses were ready for the change as well as those which they were less prepared in.
One of the preparative strengths that the survey highlighted was the presence of a Data Protection Officer or similar within the businesses that responded. When asked whether the organisation had an employee with the title, 64% replied positively, whilst 9% stated that they would appoint one prior to implementation of the GDPR. However, whilst this is largely optimistic, the presence of a DPO in a business does not necessarily indicate a step towards preparing for the GDPR, given many may have appointed one already.
This sentiment is reflected in the next question, which asks whether businesses have conducted a data audit for the purposes of GDPR.
Whilst 91 organisations stated that they had, most were yet to complete an audit; 24 were in the process of conducting one and 72 claimed that they would conduct one in the near future.
More positive was the establishment of purposes for personal data processing, with 82% of firms responding positively. This enables firms to review their current methods and assess which are necessary, a key step in GDPR preparation to ensure it’s appropriately implemented.
The study also indicated that the majority of organisations had not sought external legal advice, with 63% responding negatively to the question. Whilst this is not a direct reflection of a lack of GDPR preparation, it suggests that some businesses may not be fully aware of the impact of the soon to be implemented provisions.
A similarly negative response was received in relation to information notices, with 67% of organisations having not yet reviewed or updated their current information notices. The GDPR requires businesses to notify individuals about how they intend to process their data – something which must be provided in a clear and transparent way.
Reviewing methods of obtaining consent was a slightly stronger area for businesses; whilst 19% were yet to do so, the majority (64%) claimed they were working on it, with 17% having already done so. Under the GDPR, when organisations seek a user’s consent, the method of obtaining it should be displayed prominently, ask individuals to ‘opt-in’ and provide them with sufficient supporting information.
However, preparations for breach notifications and staff compliance training was more negative, at 48% and 51% having not yet undertaken these measures respectively. Whilst the provisions do not come into effect until May next year, it’s important that preparations are made as soon as possible, especially in light of the consequences should there be a breach. Whilst data processes are typically thought to be an IT issue, the reality is that their remit stretches far beyond this, with the GDPR set to affect every department in a business. Therefore, it may be considered concerning that the majority of respondents stated that staff compliance training had not yet been undertaken. Even if all of the appropriate measures are in place to comply with the enhanced data protection regime, a lack of comprehensive staff training could render these improved processes insignificant.
