GDPR enforcement begins in under six months, but new surveys suggest many organisations will struggle to be ready in time. One survey found that fewer than one in five businesses are “well prepared” for the regulation. In separate research, 95 per cent of businesses said being compliant will be a “massive challenge”.
The first finding is in a new report from Ibec, the employers’ group, and the law firm A&L Goodbody. The report suggests high levels of awareness: 87 per cent of respondents see GDPR as a “significant” issue. Almost half of organisations (47 per cent), have already assessed their data protection risks. Roughly similar numbers have appointed a GDPR implementation team (46 per cent) and have compiled an inventory of all personal data they hold (44 per cent). Data Protection Officers are in place in 42 per cent of the organisations that took part in the survey.
Other results were less encouraging, however. Just 29 per cent said they had held staff training workshops on GDPR, while only 21 per cent have assigned budget towards GDPR. Considering a much larger percentage are already working towards GDPR, it could mean they are adding compliance tasks to employees’ existing workloads.
With the 25 May 2018 deadline coming into focus, the news from Mazars and McCann FitzGerald was similarly mixed. Far more organisations are tackling GDPR compliance than they were last year: 73 per cent is a huge increase from just 16 per cent in 2016. By contrast, more businesses believe compliance will be “challenging” than they did 12 months ago: 95 per cent versus 82 per cent last year.
Of course, there’s more than one way of interpreting the findings. For example, 39 per cent of Ibec’s survey group haven’t started working towards compliance yet. What’s more, 79 per cent have not set aside budget to do so.
Things aren’t much better in the UK, where 75 per cent of law firms say they’re not GDPR-compliant yet. Security commentator Graham Cluley doubts that the 25% of legal offices claiming they’re ready are in fact fully prepared.
There’s some good news for those affected by GDPR – that is, EU citizens. The European Commission is to begin an awareness-raising campaign in January, informing people of their rights under the regulation. The campaign may hold some useful insights for the public-sector agencies, businesses and charities struggling to figure out what GDPR will involve. In addition, a survey of UK charities suggests that the public likes GDPR.
So, with public support for the regulation on the one hand, and mixed levels of readiness among businesses, where do we go from here? Fortunately, there are many resources to help. The Data Protection Commissioner’s website GDPRandyou.ie has information to help organisations to understand what they need to do. The Commissioner Helen Dixon has said her office will do its best to support organisations in their compliance efforts. The UK Information Commissioner’s Office also has guides for getting ready. The Cloud Security Alliance has published a code of conduct for GDPR compliance that includes a suggested approach to cloud service providers.
At last month’s Irisscon security conference, An Post general counsel Linda NiChualladh suggested a four-stage approach to getting ready. Stage one is to determine the current plan. The next stage is a data mapping exercise to discover all potential sources of stored personal data, which could be CCTV footage or call recordings. Stage three is a data inventory, while stage four is a GDPR gap analysis. Linda defined the gap analysis as discovering what current data protection law does not cover, compared to the new regulation.
She also recommended the Data Protection Commissioner’s guide to data privacy impact assessments. “It takes you stage by stage on how to do a privacy impact assessment. At this point, a lot of people need that linear approach, so it’s not a bad place to start,” she told the conference.
Many organisations delegate GDPR to their IT teams, but Linda advised against falling into the temptation to do this. She said: “It is a business problem.” The surveys referenced here make that point very clearly.