“Only 5% of organisations claim to be ready for GDPR” discovers BSI research study

Research conducted by BSI has underlined the growing concern that European businesses are simply not ready for the General Data Protection Regulation (GDPR). Even though 97% of organisations admit that the implementation of the GDPR will affect their business, just 5% say they are fully prepared for the new regulation, with 33% stating that they are just over half way towards compliance.

The GDPR comes into effect on 25 May and will require all organisations to comply with stricter rules concerning the data protection and privacy of data subjects (citizens) within the EU. Failure to comply could result in fines of up to €20 million or 4% of an organisation’s annual global turnover, with supervisory authorities expected to crack down hard to encourage greater compliance.

The research from the Cyber Security and Information Resilience division of BSI has found that European businesses are aware of the looming deadline, but far from ready. Over half of organisations surveyed highlighted their concern regarding the role of their employees in GDPR compliance, with one-in-five businesses revealing that they had experienced a data compromising incident in the past 12 months. The Data Protection Commissioner reported 2,795 valid data security breaches in 2017, which is an increase of 26% from 2016.

The research also revealed that one-in-five senior managers are actively engaged with the GDPR on behalf of their organisation, 36% are allocating a substantial level of resources to meet GDPR requirements and 97% of organisations admit that the GDPR will affect the way in which they conduct their business

Data Protection Officers and Privacy Impact Assessments

While specific sectors (eg public authorities) and organisations engaged in high risk data processing are obliged to appoint a Data Protection Officer (DPO) under the GDPR, the survey found that only 27% of organisations have a DPO training programme in place, more than half of organisations don’t provide data protection training to employees and 63% of businesses have not yet assigned a DPO.

An additional key requirement of the GDPR is Privacy Impact Assessments (PIAs) (a risk-based assessment used to ensure that the rights and freedoms of individuals are protected when any processing of their data is performed by an organisation). Alarmingly, the research revealed that over 40% of organisations surveyed weren’t aware that PIAs will be a mandatory requirement, while only 12% claimed to have a good knowledge of PIAs.

Commenting on the research results, Stephen O’Boyle (head of professional services at BSI) said: “There’s a lot of talk surrounding the GDPR, but with less than one month to go our research shows that organisations are still unprepared and don’t fully understand what’s required of them. Becoming GDPR ready is less complicated, less expensive and less daunting than many businesses think.”

O’Boyle continued: “Data processing is an issue for everyone and awareness levels are increasing. The recently published Annual Report from the Data Protection Commissioner highlighted that complaints had increased by 79% compared to 2016. This year, it’s anticipated that this figure will be even higher. The new GDPR was set up to benefit everyone. Having the right systems in place is not only good practice, but will ensure that organisations build trust and transparency with their customers and minimise privacy and security risks for the future.”

Details of the survey

Over 1,800 European respondents took part in the research including participants from Belgium, France, Germany, Ireland, Italy, Netherland, Poland, Spain and the UK.

The research was carried out as part of the BSI Cyber Security and information Resilience Path to GDPR Compliance series which included webinars on the GDPR topics covering the Role of DPOs, 20 Steps to Achieving Compliance and PIAs.

Responding industry sectors included aerospace and defence, the utilities, education, finance, Government, healthcare, IT, insurance, legal, manufacturing, retail, telecommunications and transport and distribution.

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts