4 May, 2017
Nearly half of organisations involved in a recent study are afraid they will not meet the requirements of the EU's General Data Protection Regulation (GDPR) which will apply from 25 May 2018, and 18% are concerned that fines for not doing so could put them out of business.
Veritas Techologies surveyed more than 900 business across Europe, the US and Asia Pacific and found that 86% of organisations are concerned that failure to adhere to the regulations could have a major negative impact on their business, and 47% have doubts that they will meet the impending compliance deadline.
One in five, or 21% of businesses are worried about having to cut staff numbers due to financial penalties incurred as a result of GDPR compliance failures, Veritas said.
Other concerns include loss of customers and brand damage due to negative media coverage if they fail to comply, the survey found.
Many of the concerns relate to a lack of technology, Veritas said. 32% of respondents were concerned that they did not have the technology they would need to search, discover and review data as required, and 39% said they may not be able to identify and locate data, which is a critical requirement under the legislation. When requested, businesses must generally be able to provide individuals with a copy of their data within a 30 day time frame.
Data protection expert Kuan Hon of Pinsent Masons, the law firm behind Out-Law.com said: "While it is important for organisations to be able to identify and map or track the personal data that they process at a more granular level, GDPR compliance is not just a technology issue. It will be essential to involve not just IT but also legal, risk and compliance functions, and compliance will involve people, policies and processes, not just technology."
42% of organisations have no mechanism in place to determine which data should be saved or deleted based on its value, Veritas said. Under GDPR, companies can retain personal data if it is still being used for the purpose for which the data was originally collected or compatible purposes, but must delete personal data when it is no longer needed for those purposes or certain other permitted purposes.
Organisations in Singapore, Japan and the Republic of Korea are the least well prepared, the survey found. In Singapore, 56% of respondents fear they will be unable to meet the deadlines, and in Japan and the Republic of Korea the percentage is over 60%, Veritas said.
Nearly two-thirds of the businesses surveyed, or 65%, are working with third parties to improve their GDPR performance, Veritas said, and on average businesses expect to spend over €1.36 million by May 2018 to achieve full compliance.
Mike Palmer, vice president of Veritas said: "There is just over a year to go before GDPR comes into force, yet the ‘out of sight, out of mind’ mentality still exists in organisations around the world. It doesn’t matter if you’re based in the EU or not, if your organisation does business in the region, the regulation applies to you."
However, Palmer's comment is "a little too broad," said Hon. "Organisations will be directly subject to the GDPR if they offer goods or services to EU-resident individuals or monitor their behaviour, or if their personal data processing activities are related to such offering or monitoring. That casts a wide net, but is not as broad as simply doing business in the EU.
Furthermore, there is the practical issue of how data protection authorities will actually be able to enforce against non-EU based organisations that have no other connection to the EU, so reputational risk would probably be a bigger factor for such organisations."
"Organisations need to consider the extent of their GDPR risk exposure, both legal and reputational, as soon as possible, and start to put in place appropriate measures to enable compliance where necessary," said Hon. "However, legal advice on the implications of GDPR will be needed in order to assess the risks properly."
The UK government has previously confirmed it will adopt the GDPR despite moving forward with plans for Brexit. Even if the UK decides post-Brexit to change data protection laws relating to the processing of UK citizens' personal data, UK businesses would continue to be subject to the GDPR in some situations.
Last month the Information Commissioner's Office (ICO) urged organisations in the UK to review their "existing consents" to ensure that their activities that involve the processing of personal data comply with the new data protection laws.
A survey in the same month found that many UK businesses had stopped preparation for compliance with the GDPR, believing it no longer applied as a result of the Brexit vote.
The Article 29 Working Party, which is a committee of data protection authorities from across the EU, including the ICO, is expected to issue its own guidance on consent under the GDPR later this year.
For further information, please contact:
Ian Laing, Partner, Pinsent Masons
ian.laing@pinsentmasons.com