With the deadline for compliance with the EU’s General Data Protection Regulation imminent, how ready are organisations for the new rules – and what will happen to those that fail to be ready by 25th May? Martin Allen-Smith investigates

The recent furore over Facebook and Cambridge Analytica’s alleged use of the social media platform users’ data for political purposes has exposed all manner of questions about how organisations should or should not be allowed to use the information they hold. Perhaps more than that, it has significantly raised public awareness of the myriad ways in which their data could be used socially, commercially and politically.

It is apt this particular story should emerge just weeks before the EU’s General Data Protection rules come into force. The new regulatory scheme represents the biggest overhaul of data rules in over two decades, and with mixed levels of understanding as to how it will all affect them, it is likely that organisations’ preparedness levels – even at this late stage – vary considerably.

Expectations are that many will fall short of where they need to be under the new rules in one or more aspect of GDPR, including data security. According to a recent survey of IT decision-makers, more than two-thirds of businesses questioned admitted they are unable to secure customer data effectively. The study of 750 senior IT staff for Claranet’s Beyond Digital Transformation report, found that 69 per cent of respondents admitted to this lack of data security management capability, while another 45 per cent said they face problems around securing customers’ details when trying to improve the digital user experience.
One sector in which there is expected to be a particularly large shortfall in GDPR preparedness is among small business, with a third yet to begin their preparations as of 1st March. Just eight per cent of UK SMEs said they were ready, according to figures from the Federation of Small Businesses (FSB), while 35 per cent said that they were still in the early stages of preparations.

More than 80 per cent of small firms operating in the financial services industry said they are ready or in the process of becoming ready, but over half of FSB members from the hospitality and arts and entertainment industries admitted they have not started preparing for the legislation. In retail, 41 per cent said they had not started preparations either, while that figure stands at 37 per cent in construction and 28 per cent in manufacturing.

FSB national chairman, Mike Cherry, said, “The GDPR is the biggest shake-up in data protection to date and many small businesses will be concerned that the changes will be too much to handle. It’s clear that a large part of the small business community is still unaware of the steps that they need to take to comply and may be left playing catch up.”

Equally bleak is the outlook from the London Chamber of Commerce and Industry (LCCI) survey of 500 of the capital’s firms, which found that 24 per cent are unaware of the incoming legislation, while one in three believe it is not relevant to them. In fact, the legislation applies to any organisation using the personal data of EU citizens (including employees), or any firm processing that data on another company’s behalf. Colin Stanbridge, chief executive of the London Chamber of Commerce and Industry, said: “Businesses that are already vigilant about their data protection responsibilities are unlikely to be unduly burdened by the new legislation. However, we would urge businesses to take this opportunity to review their processes to see if they need to make any changes to be compliant.”

For businesses that have been preparing for this important change for a while, now is the time to test and assess that they have covered all bases. The Information Commissioner’s Office (ICO) website has a series of self-assessment toolkits tailored to various business sectors, with separate checklists for data controllers and data processors, as well as compliance assessment tools covering information security, direct marketing, records management, data sharing and CCTV.

For organisations that still have lots to do ahead of the 25 May, there are some pressing priorities to address. Mareike Lucht, an associate in the data privacy and cyberspace practice at law firm Squire Patton Boggs, says that it is time to at least check: whether privacy policies depicted on the company’s website fulfil GDPR requirements; if a Data Protection Officer needs to be appointed; if there is a record of processing activities, and if there is not one, to start working on it; if data processing agreements are in place and if they require a GDPR compliant do-over; and if processing is based on consent, whether such consent needs to be updated.

Lucht adds: “As the GDPR is only weeks away, companies that have thus far made no arrangements can concentrate on these points, as these fulfilments are directly visible to customers and supervisory authorities.”

Of the organisations who are worried that there is still too much to do ahead of the imminent deadline, thoughts might be turning towards the implications of failure to comply. Ultimately, the penalties are potentially high. While data protection authorities like the ICO are currently able to issue fines of up to £500,000 for data protection breaches, under GDPR this will rise to up to 4 per cent of a firm’s annual turnover, or €20 million. These fines must be proportional to breaches, but regulators are likely to come down harder on firms that have made little effort to comply with the rules.

The EU says that the key factors which will be assessed in each case of non-compliance would include: the gravity/duration of the violation; the number of data subjects affected and level of damage suffered by them; the intentional character of the infringement; any actions taken to mitigate the damage; and the degree of co-operation with the supervisory authority.

In some respects, the compliance deadline is merely the first in a number of hurdles for businesses to be ready for. Soon after the implementation of the GDPR rules, the ICO’s information campaign will shift from advising organisations on compliance, to informing consumers what it all means for them. Research from data mapping firm Exonar suggests that as a result, some could find themselves in the path of a tsunami of Subject Access Requests, with around 21 million current account holders potentially looking to ask for a copy of their personal data from their bank, with a further 8 million credit card holders requesting the same information.

Julie Evans, COO at Exonar, said companies need to make the most of the little time they have before the ICO starts its consumer publicity campaigns: “Companies often ask us how they can predict how many SARs they will receive. It’s an impossible task as so much of it will come down to consumer awareness.

“At the moment communication efforts from the ICO are focused on getting companies ready for the GDPR, but we expect the focus to change as they start to inform the general public about the changes.

If the ICO succeeds in raising consumer awareness then the floodgates will open.”
In the context of what is the most significant change to the EU’s data protection laws in over 20 years, firms are also advised to re-examine their current insurance arrangements to ensure that any applicable indemnity limits will cover the costs associated with investigations and breaches under the GDPR.

But, there is also much to be gained from complying – and being seen to be compliant – with the new data rules, not least in the context of growing public concern for how their data is used by businesses. Peter Johnson, UK cyber risk leader, client advisory services, Marsh, said rather than regarding compliance with the GDPR to be a costly and disruptive undertaking, firms should see it as an opportunity. “They can improve how they safeguard personal information, boost their understanding of how data can add value to their business, and forge a new relationship with clients based on enhanced transparency and security that can further build trust.

“The GDPR will go a long way towards helping to repair the breakdown in trust between clients and organisations in terms of how personal data is used, enabling proactive businesses to take greater advantage of the data-driven economy.”


This article was published in the March 2018 issue of CIR Magazine.

Download as PDF

More interviews and analysis

Contact the editor

Follow us on Twitter

Share Story: