News analysis: Countdown to GDPR - ready or not?
195 days from now, enforcement of the General Data Protection Regulation (GDPR) begins. By then, every business in the UK which handles personal information ought to be aware that the law has changed. If they want to avoid being first in line for a financial penalty, then all of them really should be fully-prepared, too.
But research suggest that not only will a considerable number of organisations not be ready, but there will also be a sizeable group who continue to be unaware of GDPR. According to one informed source, there have been 57 dfferent surveys into how prepared British companies are, none of which gives grounds for over-confidence. When the ICO throws the enforcement light switch, it looks set to dazzle many firms who are operating in the dark.
DataIQ has now surveyed our community three times in 18 months about its level of awareness of GDPR. Given the nature of companies who engage with us, it is perhaps not surprising that 96% professed to be very or somewhat aware of the Regulation by Q3 of 2017. What is surprising is that 4% could be either neutral or unaware that the law is changing - even the briefest visit to our web site would reveal over 1,700 items of content making reference to it.
But there is evidence of a lag in awareness when comparing year-on-year shifts between the first quarters of 2016 and 2017. While awareness started from a relatively high 79.6% in early 2016, it only shifted by an extra 6.3% across the following 12 months. The big kick came in the next six months when 9.7% more companies discovered the existence of GDPR.
In research carried out elsewhere, however, this lag in awareness is still all too visible. Perhaps because the survey samples were drawn from a broader profile of UK plc, they have revealed an ongoing knowledge gap. Closest to the DataIQ findings was the 7% of employees who said their companies were unaware of GDPR in research carried out by office products specialist Fellowes.
Among marketers, however, there is a more worrying absence of knowledge that data protection laws are changing. In the DMA GDPR research, 77% said their awareness was good, leaving 23% on the wrong side of the ledger.
As with our own community, it is not through a lack of shouting about the need for action. Chris Combemale, CEO of the DMA Group, said: “The GDPR is a watershed moment for organisations to make data protection a core brand value, placing respect for privacy at the heart of their brand proposition. We should use the new laws as a catalyst to transform the way we speak to customers, making every engagement human-centric. This will enable organisations to build trusted, authentic and transparent relationships with their customers.”
The biggest knowledge gap was found in a survey of 500 senior decision makers carried out by learning provider Litmos Heroes which revealed nearly three in ten had no idea about the forthcoming changes.
Tom Moore, managing director of Litmos Heroes, worried that, “the findings raise a number of concerns and it seems that some businesses really need to be reminded about the impact of these new regulations. Let’s be clear: if any organisation handles the data of a EU citizen - whether Brexit or no Brexit - it will apply to them.”
That uncovers one of the possible factors which has limited the conversion of GDPR awareness into actually being prepared for it. Despite eight out of ten organisations telling DataIQ they knew about the Regulation in Q1 of 2016, at that point only just over half (54.5%) were either very or somewhat prepared. A year on, that had risen to 67.9%, undoubtedly as compliance programmes began to get underway in the looming shadow of enforcement.
Yet that pace of preparation has slowed subsequently - by Q3 of this year, 70.7% of organisations were saying they had a degree of preparedness. Notably, those who claimed to be very prepared had grown by less than 1%. While GDPR is complex and there is still much guidance yet to be issued on what it means, the dwindling amount of time available to prepare will see a lot of anxious business leaders eyeing the calendar come early Summer 2018.
In other studies, a very wide variation in the degree of readiness can be found. Marketers were revealed by the DMA to be somewhat ahead of the curve, even though 15% said there was no plan in place in their business. Encouragingly, 56% said they were on track and 4% even ahead with their GDPR plans, but 17% confessed to falling behind the curve.
At the other end of the spectrum, tech vendor Veritas discovered only 31% of firms claiming to be compliant, leaving 69% exposed. But its own analysis suggests that barely 2% are really ready, regardless of what they claim.
At Fellows, which hit the mid-point of preparedness by finding 47% of its respondents had done nothing, Darryl Brunt, UK sales and marketing director at Fellowes, noted: “Despite the impending deadline, our research shows that many companies don’t appear to have systems and policies in place to protect sensitive information. If this data is then stored illegally - or falls into the wrong hands - the damage caused to the organisation could be irreparable.”
That is a view shared by Moore of Litmos Heroes: “I think one of the really staggering outcomes of this study is that, as custodians of many organisations’ data protection controls, so many IT businesses are so under-prepared.”
As the ICO puts in place the resources it needs to go after companies who have chosen to do nothing about GDPR, there is really no excuse either for failing to be aware of the law or for not taking action to become compliant. There may be barely six months left, but taking some steps is better than taking none, certainly as far as the regulator is concerned.