Top UK and US firms still overestimating GDPR readiness

Less than five months before the compliance deadline for the EU’s General Data Protection Regulation (GDPR), most top UK and US firms are still overestimating their state of readiness, a study suggests

This article can also be found in the Premium Editorial Download: Computer Weekly: Countdown to GDPR

Some 94% of FTSE 350 companies and 98% of Fortune 500 companies believe they are on track to comply with the GDPR by 25 May 2018, according to a survey by international law firm Paul Hastings.

However, the survey also shows less than half (39% in the UK and 47% in the US) have set up an internal GDPR taskforce, only a third are hiring a third-party to conduct a GDPR gap analysis, and roughly only a third are hiring a third-party consultant to assist with compliance, all of which suggests many companies are not as well-prepared as they think.

Despite being one of the crucial requirements for GDPR compliance for any business involved in the “large scale monitoring of individuals”, only 29% of top UK firms and 18% of top US firms are hiring a data privacy officer or additional privacy staff, and only 10% of UK companies polled have allocated budget for GDPR compliance.

Reports from Australia indicate that apart from some notable exceptions, most Australian organisations are also still largely unprepared to comply with the GDPR.

Behnam Dayanim, partner and global co-chair of the privacy and cyber security practice at Paul Hastings, said: “Achieving GDPR compliance is an enormous task, which in our experience almost inevitably requires dedicated resources and budget.

“Against that backdrop, the confidence among major corporations revealed in our survey seems mismatched with those same businesses’ reports of their implementation efforts,” he said.

At the other end of the scale, a November 2017 survey of more than 900 small to medium-sized enterprises (SMEs) in the UK and Republic of Ireland revealed there is still much work to be done before these businesses are fully prepared for the GDPR.

Read more about GDPR

The survey by the Close Brothers showed SMEs are struggling to get to grips with what “personal data” really means, their customers’ new and extended rights, and whether the permissions they currently have to contact customers will meet the requirements of GDPR.

With so few companies undertaking key compliance measures to date, Dayanim believes it will be “a race to the finish line” for those needing to meet the terms of the wide-reaching GDPR. “This unfortunately seems to be setting up a scenario for multiple investigations and enforcement activities once the implementation date arrives,” he said.

Failure to comply by any company anywhere in the world that does business with Europe and holds personal data about EU residents – for purposes such as profiling and big data analysis – could result in fines of up to €20m or 4% of its global turnover, whichever is the greater.

Another survey published in November 2017 by cloud security firm HyTrust revealed as little as 22% of US organisations are concerned about the GDPR and have a plan in place. The survey included respondents from key industries, including government/military, financial/insurance, healthcare/biotech, manufacturing, transportation/shipping and technology.

More than half (51%) of respondents said their organisation is either not concerned about GDPR or is unaware of its relevance to their business. 

Read more on Privacy and data protection

Data Center
Data Management