The GDPR countdown begins – Are you regulation ready?

The GDPR countdown begins – Are you regulation ready?
January 4, 2018 Bridewell Consulting

A lot has changed in the 20 years since the UK government introduced the Data Protection Act. Internet use has exploded, with social media, e-commerce and mobile technology revolutionising how we live our day-to-day lives.

The internet has also massively increased the amount of data we produce. In fact, 90 per cent of the data in the world today was created in the last two years, according to IBM. We currently generate approximately 2.5 quintillion bytes of data every day.

Data protection laws must therefore reflect the way people and organisations handle information today, which is why EU regulators are introducing the GDPR on May 25th. But with less than six months to go until the implementation date, are UK firms ready to comply?

State of readiness in the EU and US

General awareness of the GDPR is good, which is perhaps not surprising considering the importance of the regulation and its impending deadline for compliance.

That said, more than one-fifth (21 per cent) of the businesses polled in a recent Varonis survey still weren't aware of the GDPR. The research, which was compiled between September and October 2017, questioned French, German, UK and US firms.

EU-based organisations had far greater levels of awareness (88 per cent) than those located in the US (65 per cent). Many businesses were also well on their way to compliance – 38 per cent of French, German and UK companies said they were already fully in line with the new rules.

A further 49 per cent said they were more than half done, while eight per cent claimed the GDPR wouldn't affect their business and five per cent weren't sure how ready they were.

The biggest GDPR challenges

The Varonis research also highlighted the areas giving organisations the biggest problems during preparations.

Across the EU, respondents believed the right to erasure rules – outlined in Article 17 of the regulation – was the largest compliance hurdle. Also known as the 'right to be forgotten', the rule enables individuals to request that their personal information be deleted or removed from an organisation's systems if there is no compelling reason for its continued possession.

In the UK, the key issue for businesses is the data protection by design principle, which is enshrined in Article 25. Fifty-eight per cent of those polled said this rule would be the most difficult to follow.

It requires enterprises to implement technical and organisational measures that show data protection has been considered and included when formulating processing activities.

However, notifying authorities of breaches seemed less of a concern. Only 24 per cent of businesses ranked it as a top-three challenge. This is despite the severe penalties associated with failures to report – up to four per cent of annual revenue or a €20 million fine, whichever is larger, in the worst cases.

The business benefits of compliance

While GDPR compliance may seem onerous, organisations appear to understand the value of complying with the regulation.

Nearly three-quarters (74 per cent) of respondents in the Varonis survey believed adherence to the regulation would give them a competitive advantage over other businesses in their sector.

Nonetheless, the research showed UK firms are less convinced of the commercial benefits than global counterparts. Only 66 per cent thought the GDPR would provide a competitive advantage, while 80 and 72 per cent of French and German businesses, respectively, said the same.

Even US companies viewed the GDPR more favourably (78 per cent), despite the EU regulation not affecting the data of the country's citizens directly. That said, any organisation handling the personal data of EU citizens must comply with the GDPR, regardless of where they are located.

The final push towards compliance

Confidence regarding GDPR compliance seemed mixed across different industries. For example, 44 per cent of HR professionals still don't know what the regulation is or how it will affect them, according to a SD Worx Survey from December 2017.

But Royal Mail research showed that the marketing industry ranked GDPR compliance as its number one data management concern for 2018. Only 12 per cent of marketers were very confident they were in line with the regulation when it came to third-party data.

Regardless of industry, the GDPR is a crucial piece of legislation that will affect many firms worldwide. AvePoint and the Centre for Information Policy Leadership (CIPL) found that half of privacy professionals reported higher budgets this year in order to prepare for the deadline and beyond.

One-third of businesses said they would be increasing headcounts to ensure smooth compliance with the regulation.

"The conversation around GDPR is ongoing and will definitely be a mainstay beyond the May 2018 date, after GDPR is live," said Bojana Bellamy, CIPL president.

Does your business currently have the resources to comply with the GDPR on time? Please contact Barclay Simpson to discuss your recruitment needs in 2018.

Our 2017 Compensation and Market Trends Report combines our review of the prevailing conditions in the compliance recruitment market together with the results of our latest employer survey.