Most organisations unprepared for GDPR, survey finds

Only 5% of businesses feel ready for the arrival of the General Data Protection Regulation (GDPR), research suggests, despite the data protection reforms coming into force in less than 30 days.

The British Standards Institution (BSI) surveyed 1,800 firms and while 97% agreed the regulation would affect them, only 5% were fully prepared and 33% were halfway to complying.

The law, which the EU Parliament approved on 14 April 2016, will ensure better transparency and privacy over consumer data. The Information Commission’s Office (ICO) could impose fines of €20m or 4% of annual turnover to non-compliers.

BSI survey participants confessed to feeling confused over some of the GDPR requirements, with 40% claiming they were unaware that conducting privacy impact assessments is a mandatory part of achieving compliance, while 88% said they lacked knowledge in this area.

Ahead of the GDPR compliance deadline on 25 May 2018 details of the lengths some companies are going to prepare have started to emerge. Google has reportedly spent 18 months preparing, while the Department for Work and Pensions (DWP) is said to be on course to spend almost £15m on staff training and system remediation.

However, Stephen O’Boyle, BSI’s head of professional services, said achieving GDPR compliance need not be difficult or expensive.

“Our research shows that organisations are still unprepared and don’t fully understand what’s required of them. Data processing is an issue for everyone and awareness levels are increasing,” he said.

“GDPR was set up to benefit everyone and having the right systems in place is not only good practice, but it will ensure that organisations build trust and transparency with their customers and minimise privacy and security risks for the future.”

The survey also found more than half of organisations did not offer data protection training for staff. This finding ties in with a report from Wombat Security Technologies, which also quizzed employees on the topic.

On average, the respondents answered 25% of questions on protecting confidential information incorrectly, which was the highest number of all security-related categories in the report.

Data security firm WinMagic asked 480 IT leaders about the regulation, and found that 51% have the systems in place to remove consumer data from their servers, while 21% said they did not.

The report also highlighted organisations are not ready for other parts of GDPR, such as data breach reporting and information encryption.