The General Data Protection Regulation (GDPR) is the best excuse a company has to identify opportunities to improve the data protection processes that they may already have in place. Approached in the right way it can even provide a competitive edge by forming a better understanding of a customer in order to tailor products and services.
With less than a year until the implementation of the GDPR in May 2018, Exonar surveyed the data protection and wider IT community to gain an understanding of how prepared businesses are for the new regulation and what challenges are standing in their way.
The good news is that the results found that the majority of companies recognise GDPR’s importance, are on track and have either already begun preparations to be compliant with the GDPR or have a plan that will see them be ready by May 2018.
However, significant challenges still remain in the form of time, money and understanding over the reach and implications of the new regulation. It’s clear some companies are shackled and their plans aren’t progressing or even formulated. It appears that this situation is exacerbated often by a lack of leadership and failure to identify where the buck stops.
On Target For GDPR Compliance
The early signs for GDPR compliance are largely positive, with 61% of respondents stating they are on course to comply (26% have a plan and started preparations, 6% already compliant, 23% ready for May 2018). A further 16% added that they have a plan but have not started to implement it yet. Given how rapidly data is collected, created and stored by organisations, it would be extremely difficult to flick a switch and instantly become GDPR compliant, so putting processes in place at an early stage is a key step.
Understanding the type of data that will be affected under the GPDR is one thing, but having to search for where that data is held and who is responsible for it is another issue. Without the right plans and preparation, some organisations may run in to trouble. Without a clear picture, companies won’t be able to fulfil information requests as required.
Subject Access Requests (SARs): Still Work To Do
A worrying finding was that just over a quarter of respondents stated that they did not know what a Subject Access Request (SAR) is. A SAR is most often used by individuals who want to see the information an organisation holds about them. A quarter of respondents said they get 50+ SARs a year. More than half think that SAR requests will increase with GDPR and a third think it will double at least. But, at the moment, only 14% said they can complete a SAR in less than three hours. 27% say it takes between 1-7 days to process, while 43% think it will take longer to handle requests.
Data Security: The Hidden Gem Of GDPR?
A combined 84% stated that they expect their business data will become more secure due to an audit to identify personal data (52%) or as a result of data storage and handling improvements (32%). The results demonstrate that, for many, the process of becoming GDPR compliant is a valuable one and may be just as important as maintaining GDPR compliance in the future. The key to making the journey to GDPR compliance a positive one for a business is to start with a period of data discovery. Once this initial dataset is understood, businesses can then identify what is personal data and what is not.
Education Is Needed!
The survey results suggest that more companies need to rethink their organisational responsibilities. Most respondents believed that IT holds the data protection role (42%) while only 29% have a dedicated Data Protection Officer (DPO) in place. This is despite the terms of the GDPR, which state that all organisations of over 250 employees must employ a DPO. The requirement to appoint a DPO can also apply to smaller businesses employing less than 250 staff, as defined in GDPR Article 9. Furthermore, the lack of planning and disregard for SARs is likely linked to the confusion over who holds responsibility for data protection within many businesses.
Time & Money Remain Challenges, While Some Hope Brexit Saves The Day
The survey results found that just 6% of businesses believe they are already compliant, while 16% of respondents said they haven’t even thought about GDPR. Shockingly, 6% are waiting for Brexit in the hope it will mean that GDPR won’t apply to them. There could be a nasty sting in the tail for any businesses that believe Brexit will overrule the GDPR, as even though the UK has voted to leave the EU, UK businesses will still have to comply with new regulations if the data they handle concerns EU citizens, or has the potential to identify individuals within the EU.
Digital minister Matt Hancock has also confirmed that the UK will replace the 1988 Data Protection Act with legislation that mirrors the GDPR post-Brexit. 15% of respondents said that say they don’t have the funds to get their GDPR plans off the ground, while 20% say they don’t have time to focus on it. A further 18% admitted they don’t know where their data is, again showing the need for a period of data discovery.
The outlook for many businesses aiming for GDPR compliance by May 2018 is generally positive, with the process of data discovery, categorisation and protection actually helping their business to become more efficient and secure. However, tough challenges still remain for some, while those who choose to ignore the new regulations or hope for a silver bullet in the form of Brexit could be in for a shock. The good news for those businesses that may have fallen behind is that a thorough approach to data discovery, properly implemented, will lead you to data that you did not know about – offering not only a great start to GDPR compliance but also the opportunity to uncover and resolve data that is ‘hiding’ throughout your network.
This task of creating a data inventory does not need to be arduous. Using Big Data and Machine Learning principles as part of a discovery, data mapping and data inventory process offers the ability to rapidly find and categorise data and to do so on an on-going basis – complying all of the time, not just at audit time.