All personal data must be identified and secured under the GDPR
GDPR awareness is still low among UK businesses and many are unclear on how to comply with the new regulation, Computing research has shown.
The General Data Protection Regulation (GDPR) will strictly regulate the collection, storage and management of EU citizens’ personal data – for all firms that deal it; there is no ‘Brexit loophole’ for UK companies. Firms that do not comply can be fined as much as 4 per cent of their global turnover, or €20 million, whichever is greater. Rather than providing incentives for those responsible for data management to research the GDPR, however, many businesses appear to be in denial about its reach and effects.
We conducted our research, detailed in an IBM whitepaper, less than 12 months before the GDPR is due to come into effect, on the 25th May 2018. Of the IT leaders questioned, only 25 per cent said that they fully understood the regulation, and five per cent wrongly thought that it would not apply to them because of Brexit. Eight per cent had no idea what the GDPR was.
More positively, 62 per cent of respondents were at least aware of the regulation, although said that they needed to know more. This is understandable – it is a very complex regulation – but time is growing short. There is little time to plan and implement a strategy before May next year.
Some of the requirements of the GDPR are easier to meet than others: updating wording on contracts and terms & conditions, for example. However, this will still take a significant amount of work, and all companies should at least be in the planning stages. Our research showed that nine per cent of organisations have established a dedicated team for GDPR compliance, while 35 per cent are handling it through existing compliance teams.
30 per cent of firms are putting the burden on the IT department, although this is not the wisest move, given that it is not only IT that needs to be changed; business procedures and staff training are two other areas that must at least be considered. On the other hand, 13 per cent of respondents are giving GDPR responsibility to line of business units, which may not appreciate the extent of the IT changes involved. Getting multiple departments involved is the most sensible way to go about compliance.
Much like Brexit, some organisations polled mistakenly assumed that they were exempt from the GDPR because they do not process personal data. However, ‘personal data’ is a very wide-ranging term: IP addresses are included, for example. Only two respondents were aware of this.
Anonymisation of data is a valid tactic, as is pseudonymisation. The latter sees identifying information removed from collected data and stored separately; however, this doesn’t remove the need to protect that information (which is still subject to the GDPR).
The timeframe to comply with the new data privacy regulations is shortening by the day, and only 27 per cent of firms told Computing that they were fully ready. 55 per cent are ‘working on’ compliance, 13 per cent are not (but really need to!) and five per cent are not sure if they are – which, in this context, probably means no. Even for the majority that are working on compliance now, there is no guarantee that they will be ready come May.