In June 2017, Riverbank IT Management commissioned an independent anonymous, online survey of 150 UK business decision makers on the subject of the GDPR, which will come into effect on 25th May 2018.
The General Data Protection Regulation (GDPR) is the European Union’s new data protection law. It replaces the Data Protection Directive and is a much more ambitious law. Among its most notable changes, the GDPR gives individuals greater control over their personal data and imposes many new obligations on organisations that collect, handle or analyse personal data. The GDPR also gives national regulators new powers to impose significant fines on organisations that breach the law.
In doing this survey, we wanted to get a snapshot of perceptions in the UK, with a particular interest in the Information Technology elements that the GDPR affects. Here are the findings:
Have you already allocated a Data Protection Officer (DPO)?
Probably the most straightforward question, but most indicative of the attitude towards the GDPR was, ‘Have you already allocated a Data Protection Officer (DPO)?
62% of our respondents said they have not.
Whilst this in itself is not an issue for another 11 months – when having a DPO will be as much a business requirement as having a First Aider or a Health & Safety representative – it gives us a picture of prioritisation within a business. If a DPO has been nominated, it suggests the organisation is a long way down the road of addressing the body of work required to be compliant. If no such allocation has been made, it’s safe to assume that the GDPR is not yet a strategic business consideration from Board level down.
Are you clear about what needs to be done to comply with the new legislation?
Leading on from this, we asked, ‘Are you clear about what needs to be done to comply with the new legislation?’ The biggest response was 40% saying they have a vague idea, with a further 27% saying they simply don’t understand. A further 5% said they don’t have time to think about it.
This leaves just 29% of our respondents feeling confident that their obligations to the legislation are very clear.
Where did you seek advice about GDPR planning?
We went on to ask, ‘Where did you seek advice about GDPR planning?’ The biggest response to this was 43% saying they did their own research, whereas 24% consulted with a professional.
Concerningly, a third of our respondents said that they are yet to seek advice. With little more than ten months left to get compliant, this obligation needs to be planned, executed and tested successfully or face the consequences of crippling fines* and compensation claims.
When attending networking events with peers, how much is GDPR a discussion point?
So, with the GDPR about to become a legal requirement for all organisations and with fines as high as €20m or 4% of the organisation’s annual global revenue (whichever is the highest)*, GDPR has got be what everyone’s talking about, right?
A staggering half of those surveyed told us that’s it’s not of much interest, with another 38% saying it’s getting a mention. Only 12% say it’s either one of the big subjects or the hot topic of conversation.
What sense do you get from peers about GDPR?
Whether we like it or not, the GDPR is going to become a legal requirement of all organisations by May 2018, but should we like it? How should we approach it? So we asked, ‘What sense do you get from peers about GDPR?’
The biggest response was that it was a necessary evil that was being reluctantly planned; with another third believing that their peers were unaware so not planning for it.
Sixteen percent feel that they don’t believe it will affect them and only 18% see it as an opportunity to leverage.
What effect do you think Brexit will have on this legislation?
With 16% believing the GDPR doesn’t affect their peers, we wanted to know why, so we asked, ‘What effect do you think Brexit will have on this legislation?’. A worrying 19% think that once the UK leaves, the EU regulation won’t matter.
Unfortunately, this is simply not the case. In the short term, the UK’s divorce from the EU won’t be over before May 2018 – making us part of the EU and bound by their laws – in the longer term, no matter what the settlement terms are, there will be an adoption or adaption of GDPR for the UK.
Does your organisation have a process to identify and manage security risks to your data?
As an IT management company, we want to get a grasp the perceptions of UK businesses on the subject of data security to better understand our clients’ needs, and so we asked, ‘Does your organisation have a process to identify and manage security risks to your data?’ A healthy 46% say they have and that it’s kept up-to-date.
Unfortunately, the other half of organisations are only beginning to address it or, disturbingly, not doing it at all.
How is your organisation planning to protect client data in line with GDPR?
In a follow-up question, we also asked, ‘How is your organisation planning to protect client data in line with GDPR?’. The greatest response was an indifferent 34% who say they haven’t decided yet, whilst a worrying 29% felt they didn’t need to comply.
Seventeen percent are some way towards protecting their sensitive data by deploying anti-virus and/or anti-ransomware and a solid 21% have a full set of procedures and a continuity plan.
It cannot be emphasised enough the responsibility of UK businesses to protect all their sensitive data from both a hostile attack, such as the WannaCry ransomware on multiple organisations, including the NHS**, and from poor planning and management, as demonstrated by BA***.
No one will escape the fines* – which in themselves will either seriously damage or even shut down a business – but the deeper impact will be felt in the absolute loss of credibility and trustworthiness from customers. If businesses don’t take every possible step to protect their data, they send a clear message of contempt to the people who pay the bills.
The GDPR is coming – fact. How your business handles it is a choice.
The smart organisations will embrace it, own it and live by it; seeing it as an opportunity to grow through improved processes, more robust defences and ultimately, confident clients.
If you’d like to understand if your company is ready for the GDPR in terms of data protection, have a chat with one of our IT security experts and make sure your business will be one of the successes stories – not one of the examples of where it all went wrong.
Claire Vickery has been a marketing professional in the IT industry for over 15 years. She believes passionately in the advantages strategic IT management can deliver to businesses in order to help them grow and succeed.
Call: 01235 426700
Further reading: Riverbank’s Annual Backup and Disaster Recovery Survey
Riverbank – Thinking IT