GDPR’s widespread effect came home to me – literally – after I got a letter by post from a car dealership recently. My one and only transaction with this company was back in 2000. The car I bought from them hasn’t been mine for more than nine years. Yet still, this company had my name and current address on file.
It made me wonder how many more companies have this kind of historical data about customers, and how they’re storing it.
Two surveys issued this month show low awareness of GDPR among Irish companies, with less than a year until it comes into force.
One survey from iReach found that 66 per cent of businesses are unaware of the pending changes to their data protection obligations. The research was released ahead of the recent Government Data Forum.
Separate research from the Data Protection Commissioner’s office found that just 30 per cent of businesses are aware that these changes will take effect from 25 May of next year.
The awareness problem seems to be especially acute for small enterprises. Medium-sized enterprises have greater awareness of data law and the changes that GDPR will introduce. This group is also more likely to have a compliance plan in place.
Four out of five small businesses say they haven’t identified actions they need to take in order to comply with GDPR. A similar percentage don’t plan to use external resources to help them get ready for the regulation.
The DPC polled 500 businesses, so it’s a significant sample size. The survey found that two-thirds of those companies haven’t assessed what personal data they hold. More than half of the businesses haven’t evaluated the reasons why they hold personal data.
Neither survey tells us why awareness levels are so low; we can only speculate. Maybe business owners assume the regulation applies to huge data-hungry social media and internet companies and not to them?
From attending various conferences and speaking to specialists, I’ve heard suggestions that some companies are waiting to see if data protection authorities will be serious about enforcing fines. An early, high-profile win for a regulator would quickly force laggards to get into line.
Alternatively, another scenario could see under-resourced authorities getting mired in litigation for years. This would buy the smaller companies valuable extra time to get their own data protection houses in order. That doesn’t sound like much of a plan to me.
Several market watchers I’ve spoken with say there’s a lot of benefit in carrying out a data audit. By deleting duplicate data or entire records they no longer need, businesses can free up unnecessary (and potentially expensive) storage space.
I can think of one company at least that would benefit from cleaning up some of its old customer data.