Is UK confidence in GDPR readiness misplaced?

Is UK confidence in GDPR readiness misplaced?
February 23, 2018 Bridewell Consulting

Businesses have less than three months to prepare for the General Data Protection Regulation (GDPR), which represents the largest overhaul of privacy and information laws across Europe in decades.

But UK firms appear to be ahead of the curve when it comes to preparedness, according to a new study from W8 Data. The company questioned organisations across the top ten countries in Europe based on gross domestic product and found Britain was the most confident about meeting its compliance obligations for the May 2018 deadline.

The study found 29 per cent of UK enterprises either didn’t know about the GDPR or felt totally unprepared for its introduction. This may seem high, considering the significant fines attached to non-compliance, but a staggering 73 per cent of Spanish businesses say they aren’t ready.

Swedes and Germans were also lacking confidence, with 71 and 52 per cent of respondents, respectively, claiming they didn’t believe they would be prepared in time.

“It is fantastic news that the UK is leading the march when it comes to compliance,” said W8 Data managing director Will Anthes.

“We have always been at the forefront of the marketing industry and the fact that we are taking a more positive stance demonstrates our maturity and understanding of the need for better data protection.”

Underinvestment could prove a problem

Despite the positive results, separate studies have shown that UK companies may be overly confident in their compliance efforts regarding the GDPR.

Law firm Paul Hastings publishes regular updates on GDPR readiness among major UK and US companies. In December, 94 per cent of FTSE 350 firms and 98 per cent of Fortune 500 businesses said they were on track to comply.

However, Paul Hastings revealed a gulf between company confidence and the implementation efforts being made. For example, only 39 per cent of UK respondents had set up an internal GDPR taskforce.

Just 33 per cent have enlisted the services of a third-party consultant to help with compliance and less than one-third have hired a data privacy officer or additional privacy staff.

Furthermore, only 10 per cent of UK firms have a dedicated GDPR compliance budget. A previous Paul Hastings survey in October showed a lack of investment in new technologies – one in ten firms have strengthened their IT systems to cope with the GDPR.

“Achieving GDPR compliance is an enormous task – one that in our experience almost inevitably requires dedicated resources and budget,” stated Behnam Dayanim, partner and global co-chair of Paul Hastings’ Privacy and Cybersecurity practice.

“With so few companies undertaking key compliance measures to date, it will be a race to the finish line for those needing to meet the terms of this wide-reaching regulation.”

GDPR optimism on the increase, but are you ready?

While there appears to be a disconnect between preparedness perception and reality, businesses appear to be coming around to the idea of the GDPR.

The W8 Data survey revealed data controllers feel the compliance burden has not been as cumbersome as first imagined. They also believe there is more leeway than anticipated.

Penalties for non-compliant firms are severe, however, with businesses facing a fine of up to four per cent of revenue or €20 million (£17.6 million), whichever is greater.

As the deadline looms, enterprises that have failed to allocate additional resources to GDPR compliance may feel now is the time to re-evaluate their preparedness levels.

Paul Hastings found the average spend on extra staff to cope with the GDPR at FTSE firms was between £201,000 and £400,000 in October.