With the EU’s General Data Protection Regulation (GDPR) coming in to force on 25th May 2018, a new survey by the British Standards Institution (BSI) has discovered that companies are still unprepared for GDPR, despite there now being less than a month to go before implementation. Hence, little has changed since we reported on the issue back at the 80 days to go mark.
GDPR is being implemented into UK law by repealing the Data Protection Act 1998, and replacing it with the Data Protection Act 2018.
General Data Protection Regulation (GDPR): Background
The intention behind GDPR is to provide individuals with greater control over their personal data. Non-compliance is punishable by a fine, with two levels of fine being introduced. The first level is up to €10 million, or 2% of annual global turnover, whichever is the greater. This relates to breaches regarding breach notification, security, record-keeping, and privacy impact assessment obligations. The second tier of fine is for up to €20 million, or 4% of annual global turnover, whichever is the greater. This relates to cross-border data transfers, breaches regarding legal justification for processing, and data subject rights. The full nature, extent, and scope of the regulations are set out here.
British Standards Institution (BSI) Survey Finds Companies Still Unprepared For GDPR
The BSI survey found that the overwhelming majority of business felt that they were still unprepared for GDPR, with just 5% of the 1800 companies surveyed stating that they were ready.
The key findings of the survey were as follows:-
- 5% of business state they are fully prepared
- 33% of companies say they are more than 50% ready
- 97% of companies believe that GDPR will have an impact on their business
- Only 36% of companies have invested significant resources to ensure that they are fully compliant with GDPR
- Where businesses need to formally appoint a data protection officer (DPO), 63% have not yet assigned the role, whilst just 27% have a DPO training programme in place.
- Less than half of the companies have provided their employees with training in GDPR compliance
- 40% of companies were unaware that GDPR requires organisations to carry out privacy impact assessments (DPIAs), while 88% of businesses confirmed that their knowledge of their obligations in this area was lacking