Home Cyber Organisations’ understanding of data “not greatly improved by GDPR” warns ICSA

Organisations’ understanding of data “not greatly improved by GDPR” warns ICSA

by Brian Sims

The introduction of the General Data Protection Regulation (GDPR) has not yet led to a substantial improvement in organisations’ understanding of their data. That’s according to the results of a poll conducted by ICSA: The Governance Institute in conjunction with recruitment specialist The Core Partnership.

The poll reveals that the majority of organisations surveyed (42% of them, in fact) feel that their understanding of data has stayed the same since the EU’s GDPR was introduced. Some 39% of respondents believe that their understanding has improved significantly, however, while a further 17% think that it has improved only slightly.

Some of the positives cited as having resulted from the implementation of the GDPR are as follows:

*Much more awareness of data issues than was previously the case

*It has forced organisations to review and update procedures right across the board and duly identified many gaps

*It has resulted in significant culls of databases

*The law change has given legal colleagues a seat at the table to ensure compliance is taken seriously, not only when dealing with customers, but right upstream as new processes/systems are being designed

*Greater understanding of the security of personal data in colleagues’ personal lives

Negative comments from respondents

Some of the more negative comments include the following:

*GDPR is a hassle and hasn’t advanced business. It has only increased overheads

*Huge burden on resources

*GDPR has created much extra work for little extra benefit

*Data Subject Access Requests are taking a disproportionate amount of time and money to resolve

*Significant compliance burden with no clear additional benefit to data subjects. The previous legislation seemed more than adequate

Peter Swabey

Peter Swabey

Peter Swabey, policy and research director at ICSA, told Risk Xtra: “Some organisations feel that the GDPR has added cost and complexity and that a sledgehammer has been used to crack a nut in terms of what the GDPR has actually achieved. Others feel that it has helped them to clarify and make more efficient the systems and processes that use personal data.”

Swabey continued: “While the GDPR has undoubtedly increased the compliance burden and costs, there are also benefits in that the profile of properly holding and protecting data has also significantly increased. The GDPR has concentrated people’s minds on personal data, but it’s a continuing obligation whose burden is yet to be fully felt.”

In conclusion, Swabey observed: “It should also be remembered that obligations under the UK’s Privacy and Electronic Communications Regulations (PECR) are of equal importance. Organisations do need to understand the interaction between the GDPR, the PECR and the Data Protection Act 2018.”

You may also like