The European Union’s General Data Protection Regulation (GDPR) will come into force exactly a year from now and is expected to extensively reform existing cyber-security and data protection practices.
We take a look at the industry’s view on GDPR and how prepared organisations are for the upcoming legislation.
A recent global survey conducted on 400 CIOs by Vanson Bourne has revealed that as many as 67% of European companies and 88% of U.S. organisations with European customer data have a clear idea of what the GDPR entails. At the same time last year, only 55% of European companies and 73% of U.S. organisations with European customer data had a clear understanding of the legislation. This marks a significant improvement and implies that a clear majority of companies in Europe will be ready for GDPR by the time it arrives.
However, the general awareness on GDPR among consumers is rather disappointing. According to an RSA survey of 2,045 UK consumers, while 76% of consumers have heard of the existing Data Protection Act in force in the UK, only 15% of them are aware of GDPR, which means that a lot of work needs to be done by the government to ensure people are aware of the upcoming data protection regime which is only a year away from implementation. However, the bright spot is that one in every four UK consumers have so far boycotted companies that have poor data protection practices in place.
While awareness is not a major issue, European companies have so far performed better than British ones when it comes to preparing themselves for GDPR. A recent Compuware research revealed that less than one in five UK businesses have a detailed plan in place which conforms to rules laid out in the GDPR.
Dr Elizabeth Maxwell, Technical Director for EMEA at Compuware believes that this is a result of ‘the initial uncertainty over the impact of Brexit on the need to comply.’ This is despite the fact that the government has left no stones unturned to confirm its adherence to the GDPR. Minister of State for Digital and Culture Matt Hancock has emphasized that in order to ensure an uninterrupted flow of data between EU-member states and the UK post-Brexit, the GDPR needs to be implemented in full.
It is also believed that a many UK businesses are either not conversant with the harsh fines and punishments laid out in the GDPR or are not serious about implementing strict data protection practices, despite the fact that the GDPR is very clear on what companies need to do and what will happen if they don’t follow the rules.
“Organisations can no longer see data breaches as an abstract tech or IT problem; boycotts and penalties are serious business risks and should be a board-level business issue. Make no mistake, there will be businesses that will never fully recover from such a fine if they don’t go out of business entirely. We will all know of the EU General Data Protection Regulation then,” said Rashmi Knowles, Field CTO at RSA.
Among other requirements, GDPR will make it mandatory for companies to conduct data privacy impact assessments to identify risks and mitigations before engaging in high-risk activities, obtain clear affirmative consent from involved parties before initiating data collection activities, identify all personal data, assess how they are stored and for what purpose they are used to prepare for audits and obtain explicit parental consent for any data collected about minors. Age verification of children before data collection will be a must.