A worrying number of companies across the country are not aware of the costs, complexities and responsibilities associated with the new General Data Protection Regulation (GDPR) that comes into force in May 2018, it’s claimed by the Institute of Directors. The survey of almost 900 members of the IoD, carried out between July and August, shows that nearly a third of company directors have not heard of GDPR, while four in ten don’t know if their company will be affected by the new regulations.
The company directors’ body points to a contrast between not enough general awareness on the one hand, and reasonable preparedness of companies who do know about the new rules on the other. Two-thirds of businesses who are aware of GDPR were either very or somewhat confident they fully understand how it will affect the running of their business.
Briefly, the new rules will update the way companies handle data from the 1998 Data Protection Act. The EU-derived GDPR – applied to the UK despite Brexit negotiations- will include tougher punishments for those who fail to comply. Under current regulations as applied by the ICO regulator, there is a maximum charge of £500,000 or 1pc of annual turnover, but this is set to be replaced with a fine of up to 20 million euros or 4pc of annual worldwide turnover. When asked whether they would be fully compliant with the regulations by the May 2018 deadline, 86pc of businesses said they were either very or somewhat confident of being so.
The survey also found that half of directors had not discussed their own GDPR compliance arrangements with partners or vendors with whom they share data. Business leaders affected by GDPR said they were most likely to seek advice from external private advisors (IT consultants and legal firms), while many also said they would visit the government website or get in touch with the Information Commissioner’s Office. Meanwhile, one-third said they had in-house experts.
These results were released alongside the IoD’s Digital Strategy Summit, where speakers including the Information Commissioner, Elizabeth Denham, and the Minister of State for Digital, Matt Hancock.
Jamie Kerr, Head of External Affairs at the Institute of Directors, said: “It was clear from the outset that this would be a mammoth task for small and large businesses alike, but the scale of the challenge has not necessarily translated into preparedness for the new regulation, despite the huge costs of non-compliance. The Government and the regulator must pull their weight on this issue, as it is set to have a significant impact on businesses across sectors and regions in the UK.
“It is crucial everyone understands just how big this regulatory change will be for business leaders over the next few months. GDPR also comes hot on the heels of a number of big regulatory shifts for business over the past few years. We should also not forget the potential of extensive preparations that will be needed as we depart from the EU. Taken altogether, it’s not the easiest time to do business in the UK.
“Company directors are being pulled in so many different directions it is unsurprising that many do not fully understand the details of GDPR. That said, the regulator has a significant role to play in ensuring that SMEs, as well as larger firms, are fully compliant by May 2018. We urge the regulator to step up its engagement with businesses to ensure that they are spreading the message far and wide. In particular, however, it needs to emphasise in simple terms the criteria for compliance, what steps companies will have to take to comply and what the penalties are for not meeting the new standards. As a representative body, we will do our best to work with them to broadcast these messages.”
Comments
Phil Becket, MD, Alvarez & Marsal, Disputes and Investigations said: “Complacency is no longer an excuse for firms, they need to know what they’re doing with consumer data, or face the consequences. Hackers are persistent and creative, and more often than not they are able to get into systems with ease – just look at the recent breaches seen in the news. Combined with stricter rules and harsher punishments for lax security, firms need to be on the front foot and ignorance is certainly not the right approach.
“Data is now one of the, if not the most valuable business asset, so firms across the UK need to ensure they’re protecting its worth. Having the ability to prepare for and detect an attack will be key to staying compliant with the regulations. With fines up to four per cent of a business’ global turnover or €20,000,000, whichever is greater, they simply cannot afford to turn a blind eye to the looming deadline.”
And Dan Sloshberg, Product Marketing Director at Mimecast said: “It’s shocking that many UK organisations have not even heard of GDPR with only eight months until the regulation comes into force. The regulation will change what constitutes personal and sensitive data, and how it can be collected, stored, searched and found. This is where the real workload lies for organisations. An ‘archive-all’ culture means organisations don’t always know what lurks in their vast pools of unstructured data such as email messages and attachments.
“Nearly all organisational information passes through email at some point, and as it is also the entry point in 90pc of cyberattacks, a compromised email system or user can leave an organisation in breach of new regulations. To prepare for the GDPR, businesses must implement a cyber resilience strategy and update outdated email archives that hold GDPR-governed data.”
