Almost one-half of UK firms still unaware of their obligations under the new EU data protection laws
Computing survey finds the nation split between those getting on with preparing for the GDPR and those only dimly aware of changes that will affect all businesses
Organisations should be under no illusion. The EU General Data Protection Regulation (GDPR), which will come into force in 2018, represents a major change in the way that personal data must be managed for any company that does business in or with the EU.
They will need to make sure they are able to delete all of a consumer's personal data quickly and completely from their systems on request. There will also be mandatory reporting of serious data breaches and organisations will be expected to know what data might have been affected - within 24 hours if possible. And those firms found to be in breach of the regulation face hefty fines - up to four per cent of global turnover.
To find out how well prepared organisations are for the coming changes, Computing carried out an online poll of about 100 medium-to-large organisations. The respondents all had some responsibility for their organisation's IT or regulatory compliance.
Just over half said they were aware of the GDPR but only 20 per cent were well prepared. A further 26 per cent said they have just started preparing for the regulation. However, a total of 44 per cent were unaware or only vaguely aware of the new rules. This is in keeping with a recent survey by US consultancy TRUSTe across the US and Europe, which found that half of the companies were still oblivious to the changes.
Whatever the reason for this state of affairs, these companies need to educate themselves sharpish. Almost all of them will be processing personal data in some way, and so will need to ensure that this data is stored, processed and transmitted in a way that is compliant with the GDPR.
A quarter of those polled said they will need to invest in new infrastructure or software to comply with the new rules, especially in areas such as security, data governance and identity and access management. A further 53 per cent said they were unsure whether such investment will be necessary or not.
Some organisations will need to invest in a dedicated data protection officer too, especially if their core business revolves around processing personal data or if they are in or employed by the public sector.
But in spite of the inevitable challenges in complying with the forthcoming changes in the rules, most firms recognised them as necessary. Asked about the attitude to data protection regulations, the most popular answer was: "While some data protection regulations are an excessive burden, in general they ensure best practice and innovation, which is a positive thing".
Confused about the GDPR? Don't be! Join our expert panellists on Wednesday 03 February for a live Q&A web seminar: GDPR is coming - make the most of it.