European businesses are simply not ready for the General Data Protection Regulation (GDPR), a survey by BSI (British Standards) suggests. Even though near all, 97 per cent of organisations admit that the GDPR will affect their business, only one in 20, 5 per cent, say they are fully prepared for the new data regulation, while one in three, 33 per cent state that they are just over half way to compliance.
The GDPR comes into effect EU-wide on May 25 and will require all organisations to comply with new rules for data protection and privacy of data subjects (citizens) within the EU. Failure to comply could result in fines of up to 20 million euros or 4 per cent of an annual global turnover.
The research from the Cybersecurity and Information Resilience division of BSI has found that European businesses are aware of that deadline – but far from ready. Over half of organisations surveyed highlighted their concern regarding the role of their employees in GDPR compliance, with one in five businesses revealing that they had experienced a data compromising incident in the past 12 months. One in five senior managers are actively engaged with the GDPR on behalf of their organisation. About one in three, 36 per cent are allocating a substantial level of resources to meet GDPR requirements.
While specific sectors (such as public authorities) and those engaged in high risk data processing are obliged to appoint a Data Protection Officer under the GDPR, the survey found that only 27 per cent of organisations have DPO training in place. More than half of organisations do not provide data protection training to employees; and a majority, 63 per cent of businesses have not assigned a DPO.
A new extra requirement of GDPR is Privacy Impact Assessments (PIAs, a risk-based assessment used to ensure that the rights and freedoms of individuals are protected when any processing of their data is performed), and the research suggested that over 40 per cent of organisations surveyed weren’t aware that PIAs will be a mandatory requirement and only 12 per cent claimed to have a good knowledge of PIAs.
Comment
Stephen O’Boyle, Head of Professional Services at BSI, said: “There’s a lot of talk surrounding the GDPR but with less than one month to go our research shows that organizations are still unprepared and don’t fully understand what’s required of them. Becoming GDPR ready is less complicated, less expensive and less daunting than many businesses think.
“Data processing is an issue for everyone and awareness levels are increasing – the recently published Data Protection Commissioner annual report highlighted that complaints had increased by 79 per cent compared to 2016 and this year it’s anticipated that this figure will be even higher. The new General Data Protection Regulation was set up to benefit everyone and having the right systems in place is not only good practice but will ensure that organizations build trust and transparency with their customers and minimise privacy and security risks for the future.”