Are European Businesses Ready for the EU General Data Protection Regulation (GDPR)?

By Dominic Johnstone, Head of Information Management Services, Crown Records Management

Dominic Johnstone, Head of Information Management Services, Crown Records Management

With the EU General Data Protection Regulation (GDPR) drawing ever closer—it will come into force in May 2018—there remain serious question marks over whether businesses across the continent are ready for its arrival.

The regulation will give EU citizens new rights over their personal data, including the right to ask for it to be edited or deleted, as well as bringing in huge fines for data breaches. So, the challenge for all businesses comes from the need to know exactly what data is being held and where it is before taking further steps to make that database searchable and editable.

For some companies there is no doubt that it is a daunting prospect. Businesses which have large amounts of data stored on paper face a particular challenge because the regulation applies not only to digital information but to all personal data however it is kept. Larger businesses will need to appoint a Data Protection Officer before next May and all will be required to build ‘privacy by design’ into their data policies and gain clear consent before collecting the personal data of EU citizens from now on.

The bottom line is that all those changes require significant investment to allow information management systems to be updated and hardware upgraded. So, perhaps it should come as no surprise that many businesses have been delaying preparations.

A Crown Records Management Survey, undertaken by Censuswide, polled 408 IT decision makers in companies of between 100 and 1,000 employees in the UK earlier this year and found that a quarter of businesses had cancelled preparations for GDPR while they waited for Brexit. This has proved to be a mistake because the UK has since passed the UK Data Bill, which mirrors many of the principles of the GDPR, and Brexit has moved so slowly that Britain will still be part of the EU when the regulation comes into force on May 25.

Additionally, companies have quickly realized that even businesses based outside the EU will be affected in future if they handle the personal data of EU citizens.

What many businesses seem to be missing is that there are also significant business benefits arising from updating information management policies and becoming GDPR compliant

You have to ask, then, why businesses are not doing more to prepare and whether an underlying ‘head in the sand’ culture is leaving them vulnerable. The Crown Records Management Survey painted a worrying picture when it came to attitudes to data breaches, for instance, and suggested many of the UK’s data breaches are currently going unreported.

The most hard-hitting statistics include:

• 32 percent know someone in their company who has not reported a data breach
• 31 percent have delayed reporting a data breach to senior management or the appropriate authorities
• 29 percent have chosen not to report a breach to senior management or the appropriate authorities
• 27 percent know someone in their previous company who has not reported a data breach
• 14 percent don’t know who to report a breach to
• 8 percent don’t know what constitutes a data breach

Some of these statistics are shocking and suggest that data breaches may be far more common and more widespread than many people realize. That’s a big issue when you consider GDPR will bring in fines of up to 20m Euros or 4 per cent of turnover for data breaches in future. It also provides a strict timescale for the reporting of breaches (within 72 hours).

There appears to be a culture inside many companies that the best response to a breach is to ignore it or keep it quiet. Perhaps this comes from a fear of the loss of reputation which can be experienced when breaches are publicized. Or perhaps it is simply down to lack of clear procedures and information management in the business. Either way, the implications are serious. It is absolutely vital that businesses tackle this culture of secrecy because in future failing to report a breach will simply not be acceptable. In fact, it shouldn’t be acceptable now. Having a clear data protection and information management programme in place is vital for businesses to avoid these kind of problems. It should be very clear who is responsible for reporting breaches and who they should be reported to.

What many businesses seem to be missing is that there are also significant business benefits which arise from updating information management policies and becoming GDPR compliant. These include de-risking the business, cutting the cost of storage, and unlocking hidden value in data.

There is a strong belief in the industry that companies which can prove they are good custodians of personal data will gain a significant advantage over market rivals in future.

The ‘head in the sand’ approach could not only put reputations at stake but also see businesses miss out on future opportunities for growth.