According to a GDPR compliancy benchmarking survey conducted by Deloitte, only 15 per cent of organisations expect that they will be compliant with the new GDPR regulations come 25 May.
Key insights from the survey includes the takeaway that organisations are taking varied approaches to achieving compliancy, driven by the threat of substantial fines and public shaming.
Organisations are also finding some of the new requirements both complex and ambiguous.
For those outside the 15 per cent, the majority are preparing to take calculated, risk-based positions of defence and paper trail.
The main areas organisations are finding the most difficult includes:
- User consent
- The right to erasure
- The development and maintenance of a personal data register
- The right to data portability
- The accountability principle
For a number of large organisations with considerable amounts of customer and prospective marketing data, securing them to a GDPR standard may be one of the biggest obstacles.
On the face of it, the thought of purposefully reaching out to current databases as part of a “re-consenting” exercise is an unattractive prospect.
It carries the risk that users in the database who came from third party data sources, or through bundled and ambiguous consent practices, may opt-out of future inclusion.
Unsurprisingly, 19 per cent of the organisations surveyed are planning on undertaking such exercises.
The fear of a mass opt-out is also something organisations feel they’re not prepared for, with 64 per cent of the organisations not yet ready.
Breaking down Deloitte’s data even further, only 35 per cent of organisations reported that they have a data breach reporting procedure that falls in line with GDPR requirements, while 62 per cent feel they will have this in place by 25 May.
Taking responsibility for GDPR compliance isn’t just down to the legal team, or the IT team, it requires awareness and active buy-in from the business as a whole.
It’s important that the teams and individuals responsible for implementing GDPR best practices engage and educate clearly those outside of the bubble.
Given that it’s less than 100 days until the new GDPR regulations come into place, and with the ePrivacy regulation expected in 2019 (which will come faster than you think), it’s important the processes being put in place now are future-proofed and long term.
Privacy and secure data handling procedures should be seen as a business enabler, not an inhibitor.
May shouldn’t be seen as the finish line, but a very important milestone.
While a number of these requirements may be complex, there is an element of ambiguity to a number of the requirements, including the seventh principle of the act:
The Act does not define “appropriate”.
But it does say that an assessment of the appropriate security measures in a particular case should consider technological developments and the costs involved.
“Appropriate” defines the actions taken by the business to ensure they’ve vetted, assessed, and done the necessary research into chosen products, software, and solutions.
There isn’t a single path to compliance and to meet the requirements, and on the face of it a number of articles can be met quite simply on their own, but combined there are complexities.