Information Commissioner Elizabeth Denham has told businesses there’s no time to delay in preparing for “the biggest change to data protection law for a generation”. Addressing company Boardrooms, Denham has called on businesses to see the commercial benefits of sound data protection and act now to ensure they’re fully compliant with the European Union’s General Data Protection Regulation (GDPR) by the deadline of 25 May 2018.
Denham explained: “If your organisation cannot demonstrate that good data protection is a cornerstone of your business policy and practices, you’re leaving your business open to enforcement action that can damage both public reputation and the company’s bank balance. There’s a carrot here as well as a stick: make sure data protection is right and you can see a real business benefit.”
The Blancco Technology Group has just published the results of its ‘EU GDPR: Countdown to Compliance’ research study, exactly a year before this game-changing piece of data protection legislation comes into force. The study surveyed over 750 corporate IT professionals in the UK, the US, France, Germany and Spain to understand their existing data management and protection practices and their ability to comply with various requirements outlined in the EU GDPR.
Some of the key findings from the study include the outcome that the UK is significantly less prepared than its European counterparts. On a range of measures, the UK is least prepared to comply with the incoming EU GDPR. For example, the UK is four times more likely to allocate no budget to GDPR compliance than colleagues in the US, France and Spain. The UK is least likely to have performed a data protection gap analysis in the past 12 months and least likely to arrange one before 2018.
Brexit could be contributing towards low UK levels of knowledge. 25% of UK IT professionals feel staff are extremely, moderately or slightly uninformed about the legal requirements of the EU GDPR. Uncertainty around Brexit is a possible factor despite the UK confirming it will adopt the EU GDPR as its data protection standard regardless of the Brexit negotiation outcomes.
Also, insecure and unreliable data removal methods may be undermining the ‘Right to be Forgotten’ requirement. A majority of UK IT professionals rely on insecure and unreliable data removal methods, such as basic deletion and free wiping software.
Leading specialists form GDPR Alliance
In parallel, leading advisors on data management and compliance have formed a GDPR Alliance. The Alliance includes prominent organisations in the fields of law, software and IT, information security and standards consulting. It has been created to raise awareness and provide a single point of access to the range of expertise and skills any business will need to become GDPR compliant.
The GDPR aims to harmonise data protection laws across the EU and provide stronger rights for individuals that reflect the monumental increase in the use of technology and data in both business and personal lives. To meet the new standards required, all businesses need to have in place comprehensive, but at the same time proportionate measures configured to minimise the risk of breaches and uphold the protection of personal data.
The importance of organisations taking GDPR seriously is reflected in the potential increase in fines that rise from a maximum of £500,000 under the current Data Protection Act to the new higher amount of 20,000,000 Euros or 4% of annual worldwide group turnover.
Founding members of the Alliance include Acuity Legal, Burnt Wolf, Business Doctors, Geldards, Highend Software, Penarth Management, Pervade Software, PiSys.net, Stratel and Wolfberry.
As well as offering support relevant to their expertise, the Alliance members will provide organisations with guidance on what steps to take, regular updates on the implementation timetable and a calendar of planned events specifically designed to increase awareness.
Overly strict interpretation
According to new DMA research, announcements and guidance from the Information Commissioner’s Office (ICO) and others may well penalise those companies most proactive in preparing for the GDPR.
Some commentators worry that the interpretation of GDPR laws will be overly strict. Just over half (54%) of businesses say they’re on course or ahead of their plans to be ready for the GDPR by next year’s deadline, which is down from 68% in February, with a further 24% of firms yet to even start a GDPR plan. Specific GDPR guidance for the business community issued by the ICO and others, then, may have caused more concern than assistance.
Awareness of the GDPR remains high at 96%, but survey respondents now feel less personally prepared than earlier in the year, with those feeling ‘extremely’ or ‘somewhat’ prepared slipping from 71% to 61% of the total.
Chris Combemale, CEO of the DMA Group, said: “Despite high levels of awareness, with a year to prepare for the new laws, the number of businesses that believe they’ll be ready in time has dropped to just over half. Recent announcements and guidance from the ICO have caused much concern that interpretation of the laws is overly strict, penalising the companies most committed to Best Practice, honesty and transparency. What the industry needs is balanced and fair guidance from the ICO and the Article 28 Working Party. With just 12 months to prepare, we need this guidance urgently if we’re expected to be ready in time.”