Just 19% of IT decision makers are confident that they have done enough to fully comply with now fully-enforced GDPR. This figure was deduced from a survey carried out on behalf of Apricorn which asked the decision-makers whether there were any areas of the new requirements that might cause them to fall short of the regulation - 81% said there were. Only 29% of respondents said that they felt confident that their organisation would comply, though it is not clear to what degree.
The survey also found that 96% of respondents had some level of plan in place to be prepared for the EU regulation. This leaves one to infer that 4% are without a GDPR readiness programme.
“GDPR was enacted in April 2016. Enforcement kicked in on Friday."
Jon Fielding, Apricorn’s managing director of EMEA, told DataIQ that there has been a long lead time for organisations to get their plans in place. He said: “GDPR didn’t just start on Friday. It was enacted in April 2016 and it’s only enforcement that kicked in on Friday. There’s been a lot of information around for people to get their houses in order.”
The survey found that there are three main reasons as to why organisations believed they would not be GDPR compliant by the end of last week. Half of respondents that know that GDPR will apply to them said that a lack of understanding of the data they collect and process is the main concern. For 37% of decision-makers, gaps in employee knowledge are likely to be the cause of a failure to comply.
Fielding said: “There is a lot of misunderstanding of what 25th May is and a lot of people just saw it as a starting gun until it was too late. Actually, that’s when you need to reach the finish line of getting yourself compliant.” He also said that 98% respondents said that they recognise that ongoing GDPR compliance, beyond the 25th, is going to require continued investment in policies, people and technology.
"This is an ongoing exercise. It didn’t just finish on Friday."
He said: “They concurred that this is an ongoing exercise. That is to start of the investment and they need to maintain the momentum. It didn’t just finish on Friday.”
In the coming 90 days or so, Fielding said it would be interesting to see what action the Information Commissioner’s Office will take with organisations that did not make the deadline. Fielding said: “The ICO has been very clear that there is going to be no grace period. We regularly do see large organisations suffering some very large data breaches, so it will be very, very interesting to see what happens with the first one in the next two or three months. There is bound to be one.”
One hundred IT decision-makers were interviewed by Vanson Bourne, an independent market research company, in April 2018 on behalf of Apricorn, a manufacturer of encrypted USB devices.