Majority of companies not prepared for GDPR
09 May 2018
NEW RESEARCH conducted by the British Standards Insitution (BSI) has found that only five per cent of organizations are prepared for the General Data Protection Regulation (GDPR).
A survey, which was commissioned by BSI, identified that although 97 per cent of organizations admitted that the implementation of the GDPR will affect their business, only five per cent say they are fully prepared for the new data regulation. In fact, only 33 per cent responded saying that they are just over half way to compliance.
More than 1,800 European respondents took part in the research including participants from Belgium, France, Germany, Ireland, Italy, Netherland, Poland, Spain and the UK.
The GDPR comes into effect on 25 May 2018 and will require all organizations to comply with stricter rules concerning the data protection and privacy of data subjects (citizens) within the EU. Failure to comply could result in fines of up to €20 million or 4 per cent of an organization’s annual global turnover, with supervisory authorities expected to crack down hard to encourage greater compliance.
The research from the Cybersecurity and Information Resilience division of BSI has found that European businesses are aware of the looming deadline – but far from ready.
More than half of organizations surveyed highlighted their concern regarding the role of their employees in GDPR compliance, with one in five businesses revealing that they had experienced a data compromising incident in the past 12 months. The Data Protection Commissioner reported 2,795 valid data security breaches in 2017, an increase of 26 percent from 2016. The research also revealed that:
- One in five senior managers are actively engaged with the GDPR on behalf of their organization;
- 36 per cent are allocating a substantial level of resources to meet GDPR requirements;
- 97 per cent of organizations admit that the GDPR will affect the way they conduct their business;
- Only 27 per cent of organizations have a DPO training programme in place;
- More than half of organizations do not provide data protection training to employees; and
- 63 per cent of businesses have not assigned a DPO
An additional key requirement of GDPR is Privacy Impact Assessments (PIAs) (a risk-based assessment used to ensure that the rights and freedoms of individuals are protected when any processing of their data is performed by an organization), and alarmingly the research revealed that over 40 per cent of organizations surveyed weren’t aware that PIAs will be a mandatory requirement and only 12 per cent claimed to have a good knowledge of PIAs.
Commenting on the research, BSI head of professional services Stephen O’Boyle said: “There’s a lot of talk surrounding the GDPR but with less than one month to go our research shows that organizations are still unprepared and don’t fully understand what’s required of them. Becoming GDPR ready is less complicated, less expensive and less daunting than many businesses think.”
“Data processing is an issue for everyone and awareness levels are increasing – the recently published Data Protection Commissioner annual report highlighted that complaints had increased by 79 per cent compared to 2016 and this year it’s anticipated that this figure will be even higher. The new General Data Protection Regulation was set up to benefit everyone and having the right systems in place is not only good practice but will ensure that organizations build trust and transparency with their customers and minimise privacy and security risks for the future.”