With less than 3 weeks until Europe’s huge shake-up of data protection laws comes into force, 40% of company directors do not think their firm will be GDPR compliant before the 25th May deadline. The figures are revealed in a survey carried out by the Institute of Directors (IoD), which also shows that business leaders’ confidence in their ability to comply has actually declined as the change draws nearer.
The General Data Protection Regulations which will apply not just to firms based in the EU but to any organisation that holds data on EU citizens, are the first major data protection rules of the digital era, replacing rules written in the 1990s, before the rise of the internet and social media. A requirement for “security by default and design” on systems that store personal data has meant that for many firms GDPR compliance is as much an IT overhaul as a legal compliance issue. Changes to rules on consent and how consumers can request access to their data mean that many companies will need to change significant areas of their operations.
Thanks to the efforts of an army of contractors and in-house teams, most firms have managed to prepare for the changes. The majority (59%) of directors report that they are “confident” or “very confident” that their organisation is in a position to comply with GDPR. The remaining 40% of firms could find themselves hit hard by failing to get to grips with the new rules, with fines for breaches of up to €20 Million, or 4% of global turnover.
Perhaps the most shocking revelation from the IoD’s results is that 17% of company directors are not even sure they understand what is required of them under the new regulations, up from 16% in August of last year. This could be because firms initially underestimated the scale of changes needed for compliance, suggests the Iod’s head of external affairs, Jamie Kerr: “GDPR has been a long time coming for businesses, but it is only proving more formidable as the deadline looms and companies drill down into the detail.”
Mr Kerr notes that it is often smaller businesses that are struggling to get up to speed with the new changes, and has called for government to focus its efforts on reaching these companies. “The Government’s immediate priority should be to ensure the ICO has the resources it needs to make a big final push to assist small businesses in the run up to this month’s deadline,” he said.
The ICO, which is responsible for enforcing data protection rules in the UK, has provided online factsheets and checklists designed to help businesses comply with the new rules. It has also said that it will reserve the power to levy huge fines for those cases where a firm has made no effort to comply. If they want to avoid falling into this group, those bosses who are unaware of the requirements will need to get to work on compliance.