In the year since the first report, 95% of businesses now believe that meeting the compliance requirements of the GDPR will be challenging or extremely challenging, an increase of 13%. However, 73% of organisations have now mobilised to tackle the compliance requirements of the GDPR, up from only 16% in 2016.
Despite the significant rise in work being undertaken, it seems that businesses are only now beginning to realise what the GDPR entails and how it affects them, with 75% now believing that their current data protection and privacy notices and methods of consent will require significant changes, an increase of 42% on last year.
Liam McKenna, Partner with Mazars, said “While we’ve seen some improvements from businesses in the previous 12 months, there is still a lot of work to be done so that businesses are ready for GDPR next May. Organisations need as a matter of urgency to review their internal procedures and controls in light of the impending changes, or they are risking severe penalties from non-compliance.”
Paul Lavery, Partner and Head of Technology & Innovation, McCann FitzGerald, said “It’s great to see that the number of companies who have begun a GDPR-readiness project has increased but there is still a significant number who have yet to implement a strategy. It’s not too late and we would encourage those that haven’t started to avoid burying their heads in the sand because the consequences for non-compliance will be extremely costly. This includes large fines and even proposed personal liability for directors. For businesses, the potential damage to reputation may be even more dissuasive than any fine.”
Specific areas for concern
Specific concerns around GDPR implementation include the difficulty in complying with requirements for international transfers, with 89% expecting to find it challenging to extremely challenging. 64% think that the more explicit ‘right to be forgotten’ will be very or extremely challenging, a 9% increase on 2016. 62% expect the right to data portability to apply to their organisation’s activities, while 65% believe that facilitating that right will be challenging or very challenging.
What actions are companies taking to get ready?
36% of organisations have yet to appoint a Data Protection Officer (a 6% increase since 2016) as is required under the new regulation. However, one continued positive trend is that 82% of organisations surveyed will have executive or CEO level sponsorship of GDPR compliance programmes, up 4% on 2016.
In terms of notification procedures, 84% currently have a policy to notify data subjects in the event of a personal data security breach, a 15% increase on last year, and 85% have a policy to notify the local data protection supervisory authority, again up 4% since 2016. However, 44% think that meeting the breach notification period of 72 hours will be very or extremely challenging.