The new European General Data Protection Regulations (GDPR) are now just nine months away. Heralding wide-ranging changes to how data is to be stored and processed in Europe and beyond, many companies will need to make significant changes to how they operate to ensure that they comply with the new regulations. However, recent surveys indicate that many businesses across Europe are not yet engaging with GDPR sufficiently. These include:
- Calligo survey that showed 69% of businesses are unprepared for GDPR
- Surveys by both Hamlins LLP and Nexsan showed that many UK businesses are unprepared for the forthcoming GDPR regulations.
- Cyber Governance Health Check Report 2017 revealed that just 6% of the UK’s FTSE 350 are completely prepared for the forthcoming introduction of the European Union General Data Protection Regulations (GDPR).
- Gowling WLG survey showed UK business leaders much less aware of digital risks than their European counterparts.
Now another survey has been published that has revealed that a large amount of businesses are unprepared for the arrival of the new General Data Protection Regulations, with one in five senior executives worryingly knowing nothing or very little about GDPR and its impact.
The survey in question has been undertaken by Alfresco and AIIM and revealed that almost 50% of those people interviewed said that a significant amount of GDPR content for their business is not held in-house but with third parties such as partners and suppliers. This of course means that they may not exactly know where data resides and how secure it is, increasing the risk of hacks and breaches.
Steve Durbin, Managing Director at the Information Security Forum (ISF) commented:
“The GDPR is the greatest shake up in privacy legislation that we have seen. It redefines the scope of EU data protection legislation and forces organisations, wherever in the world they are based, to comply with its requirements. Taking into account the overall cost of compliance, along with potential sanctions for non compliance which include fines of up to 4% of annual turnover, the GDPR will undoubtedly affect an organisation’s overall corporate risk profile, and it is essential that boards and operational management understand this impact sooner rather than later.
“For most organisations, the next nine months will be a critical time for their data protection regimes as they determine the applicability of the GDPR and the controls and capabilities they will need to implement in order to manage their compliance and risk obligations. For most businesses this will require involving not just risk professionals but line of business leaders along with legal and the full management team and board. This is an enterprise wide undertaking to ensure first stage compliance and continued alignment with the GDPR requirements. Whilst there are detailed materials available to assist in this process from organisations such as the ISF with its Preparing for the General Data Protection Regulation, many organisations still have a long way to go to prepare, implement, evaluate and enhance their data protection activities in line with the GDPR’s legal requirements.”
More and more companies will begin to engage with GDPR as the deadline looms ever nearer, especially as failure to comply with GDPR could see them face a maximum fine of either €10 million (£7.9 million) or 2 per cent of an organisation’s global turnover (whichever is greater). The most serious violations could result in fines of up to €20 million or 4 per cent of turnover (whichever is greater).