The government hasn’t adequately explained to organisations what the EU General Data Protection Regulation (GPDR) is and how they should prepare, according to 76% of respondents to a new survey by Bitdefender.
GDPR Reality Check also found that 52% of respondents believed the media and marketing departments were “guilty of over-hyping the GDPR”.
The reported lack of trustworthy guidance has caused confusion, with 26% of respondents saying that they “definitely will not be able to give a concise description of the GDPR and how their company adheres to this framework”. A further 9% said they weren’t sure if they’d be able to do this, leaving less than two thirds (65%) of senior IT and cyber security staff with a clear understanding of the GDPR and its compliance requirements.
The lack of awareness of the GDPR is evident in that 47% of respondents said they would be tempted to risk a fine for breaching the GDPR “if it meant they could offset a complex implementation process”. There are two problems here. First, for many organisations the cost of compliance will be significantly less than the fines for non-compliance, even accounting for the fact that most fines will be a fraction of the maximum penalty (€20 million (about £17.5 million) or 4% of annual global turnover – whichever is greater).
Second, the UK’s supervisory authority, the Information Commissioner’s Office (ICO), won’t identify a non-compliant organisation, issue a fine and leave it at that. Its disciplinary measures will almost certainly include enforcement actions, in which the organisation is investigated and mandated to bring any non-compliant practices in line with the GDPR.
‘A new perspective’
Commenting on the report, Liviu Arsene, a researcher at Bitdefender, said: “This study brings a new perspective to GDPR compliance. As an industry, everyone in IT can agree that the GDPR represents the most significant change to data protection practices in two decades – yet despite the hype around it, it appears that not everyone is sure exactly what it is or whether their companies are ready for it. It’s this last point that is concerning.
“In less than 100 days all companies will be held responsible for their handling of data as it relates to the protection of European citizen’s data. Companies will need to prove they are doing everything they can to protect this data, share who has control over it and even how, if at all, it is transported to other regions of the world.
“It’s not too late to act. Companies still have a small window of time in which they can establish data ownership, identify security weak spots, and shore up defences. The risks of not doing so, simply do not add up in the modern enterprise where data, and data protection, is money.”
Essential guidance for those starting their GDPR compliance project
To get started with the Regulation, we recommend our book of the month, EU General Data Protection Regulation (GDPR) – An Implementation and Compliance Guide.
This book is an ideal companion for those starting their GDPR compliance project. It explains:
- The GDPR in simple terms;
- The obligations of data controllers and processors;
- What to do with international data transfers; and
- Data subjects’ rights and consent.