GDPR requests to take thousands of hours a month, says survey

UK and European businesses expect to spend hundreds or thousands of hours a month dealing with customer queries about the upcoming European Union’s (EU’s) General Data Protection Regulation (GDPR).

Meanwhile, most organisations aren’t confident they know where all their data is stored and most aren’t aware of the fines, which can run into millions of euros, that non-compliance can bring.

Those are the findings of a survey – carried out by Populus for database remediation software maker Senzing – that questioned 1,015 companies in the UK, Germany, France, Spain and Italy.

It asked companies about their knowledge of where data is housed, actions being taken to prepare for GDPR, the impact in terms of fines and reputation of GDPR non-compliance, and their confidence the company can be respond to data enquiries in the specified time limits.

Under GDPR, which is set to come into force in May 2018, there will be greater rights for the individual to decide how their personally identifiable data is used by corporations. They will also have the right to request access to that data, with requests processed free of charge within 30 days.

Personally identifiable extends from name, and date of birth, for example, to a range of things retained by IT systems, including metadata, IP addresses, mobile IMEI numbers, SIM card IDs, cookies and biometric data.

Respondents said, on average, they expect to get 89 GDPR enquiries per month, for which they will need to search an average of 23 databases, with each search taking around five minutes.

According to the averages across all companies polled for the survey, the total time spent looking for data per month will be around 172 hours, which is more than eight hours of searches per working day or one employee dedicated solely to dealing with GDPR enquiries.

Large enterprises expect to get an average 246 GDPR enquiries per month, for which they will need to search 43 databases (seven minutes per search). They will spend more than 1,259 hours on this, which equates to nearly 60 hours of searches per working day or 7.5 employees dedicated solely to GDPR enquiries.

The survey found a significant proportion of businesses say they are not confident about where data is housed or that they cannot account for all their databases.

More than 1 in 10 (12%) companies say they are not confident they know where all their data is stored, and under half (47%) are “very confident”. Meanwhile, 15% of businesses are not confident they have accounted for all databases that contain personal/customer data, with only a third (35%) stating they are “very confident”.

Although 44% of companies say they are concerned about their ability to be GDPR compliant – which rises to 60% in the case of large companies – many businesses demonstrate a lack of awareness about GDPR and have overconfidence that they will not be affected.

More than a third of companies (35%) are aware of the potential fines for non-compliance, which in the worst cases can be €20 million or 4% of global annual turnover. Meanwhile, 30% said financial penalties will have no impact at all, and 15% say they “don’t know” about the impact of financial fines.

A divide between small to medium-sized enterprises (SMEs) and large organisations is evident in planning for GDPR.

Just more than a quarter (27%) of SMEs and half (50%) of micro businesses say their current set up is optimum and they do not need to make any changes to their operations, compared with just 16% of large companies.

On average, 38% of companies do not intend to take any preparatory action. However, 39% plan to overhaul their IT/customer data systems, and a further 15% intend to hire data analysts to collect data. Again, larger companies are more proactive, with two-thirds (64%) planning to overhaul their IT and a third (33%) looking to hire analysts.