New research conducted by data security company Clearswift has shown that Board members are more confident than management about their particular organisation’s ability to comply with the General Data Protection Regulation (GDPR) in time for the 25 May deadline set by the European Union.
The research, which surveyed 600 senior business decision-makers and 1,200 employees across the UK, the US, Germany and Australia, reveals that 41% of Board-level respondents think they have all of the necessary processes in place to be GDPR compliant, yet only 25% of senior management and even fewer middle management respondents (21%, in fact) think the same.
It’s important that Boards of Directors understand the true state of GDPR compliance in order to address any issues in time for the deadline, and also to identify ways of growing their business through better information governance.
When it comes to the ‘Right to be Forgotten’, which entitles EU citizens to request that an organisation deletes all references to them that it holds, over half (56%) of Board-level respondents think that their organisation could handle hundreds of requests at once. However, the detailed Clearswift survey suggests that only a third (36%) of middle management agree with that view.
Not only does the research show a differing opinion between the Board and management-level respondents, but it also reveals insights into the extent of data duplication that exists within organisations. For example, 49% of Board-level respondents and 31% of middle management feel their organisation definitely duplicates customer data.
Two-thirds (66%) of Board-level respondents and 70% of senior management believe that employees in their organisation have downloaded work documents to their personal devices (such as a laptop, smart phone or tablet) that haven’t subsequently been deleted (either unintentionally or otherwise).
Misplaced confidence on GDPR compliance
Dr Guy Bunker, senior vice-president for products at Clearswift, said: “Board-level respondents may have a misplaced confidence when it comes to their organisation’s level of GDPR compliance. However, once a Board becomes aware that its confidence may be misplaced, then it’s immediately one step closer to compliance. By engaging closely with management, the Board will have a much clearer and more accurate view of the state of compliance, and will then be able to put measures in place to address any issues unveiled.”
Bunker continued: “Middle management is more likely to have a better view of the data that the organisation holds – where it’s saved and how it’s being used – because they’re more familiar with the day-to-day operations and challenges that members of staff may encounter. For example, if a company doesn’t have its own private file sharing service, this may drive employees to use third party sites or download data to a USB. Management should be encouraged by the Board of Directors not to filter out ‘bad’ information. For example, if data duplication is rife, the Board needs to know about this such that it can address the issue in time for the GDPR deadline.”
In conclusion, Bunker informed Risk UK: “The GDPR can be the first step towards better information governance. GDPR compliance is about being able to recognise a particular data set and protect it accordingly. The same processes and technology can be used to protect other types of information deemed valuable to the organisation. Product design documents, price lists, patent applications and even information around service pricing and contract bids would all fall into this category.”
*Clearswift has published a White Paper, entitled ‘The GDPR Divide: Board Views versus Middle Management’, which is available for download at: http://pages.clearswift.com/GDPR-divide-guide-2018.html