Organisations struggling to meet GDPR requirements, with poor planning and lack of awareness to blame

Last month marked the first anniversary of the GDPR (General Data Protection Regulation) taking effect, but many organisations are still struggling to meet their compliance requirements, according to a Thomson Reuters report.

GDPR+1 Year: Business Struggles with Data Privacy Regulations Increasing polled organisations from across the globe a year before the GDPR took effect and again in December 2018. It found that many companies are paying the price for failing to understand how difficult it would be to implement the necessary measures.

For example:

  • 79% of organisations are failing to meet the GDPR’s requirements;
  • 25% don’t consider themselves knowledgeable about the Regulation;
  • Half of organisations have been subject to enforcement action related to data protection violations; and
  • 70% are less open when engaging with customers about data privacy.

Falling behind with GDPR compliance

One of the biggest concerns of the report is that nearly four in five organisations say they are struggling to meet the GDPR’s requirements. They were given plenty of time to prepare, so what’s been the issue?

The answer might come in the 2017 poll, in which organisations were a lot more confident of their ability to stay on top of the GDPR’s requirements. For instance, only 18% of organisations in Germany and 44% of organisations in the UK said they were failing to meet the Regulation’s requirements.

A year later and those figures have risen to 49% in Germany and 57% in the UK.

There are two possible reasons for that change. First, organisations have deprioritised the GDPR now that the furore surrounding it has died down. As a result, organisations are working with smaller teams and fewer resources, meaning they can’t keep up with ongoing compliance concerns.

Alternatively, the year-on-year difference may be an example of the Dunning–Kruger effect, a cognitive bias in which, the less someone knows about a topic, the more likely they are to overestimate their knowledge. In 2017, awareness of the GDPR was much lower than it is now, which means organisations were more likely to misjudge how complex the Regulation was and therefore be more confident in their ability to meet its requirements.

Now that the GDPR is in effect and organisations have a better idea of the way it affects business processes, they realise that their plans were insufficient.

Non-compliance has led to enforcement action

Despite suggestions that the GDPR has had little effect, with only a handful of notable fines issued in its first year, Thomson Reuters’ report suggests that there have been real-world consequences for poor data protection practices.

Enforcement actions for data protection or privacy violations have increased from 38% to 50% in the past year. The UK has seen a jump from 35% to 49%.

One of the primary reasons for this might be that, ironically, organisations are trying to prevent GDPR failures. The report suggests organisations are being less proactive in engaging with customers about data privacy, perhaps because they’re worried that interactions will lead to data subjects filing complaints or submitting DSARs (data subject access requests).

Globally, the number of organisations that said they actively engaged with individuals about data privacy issues fell from 42% in 2017 to 30%. The US saw the biggest drop (from 60% to 27%), while the UK saw a relatively small decrease (from 41% to 35%).

Meanwhile, New Zealand (17% to 32%) and France (32% to 33%) were the only surveyed countries to report an increase in data privacy openness following the implementation of the GDPR.

It’s never too late to achieve GDPR compliance

The GDPR may have taken effect over a year ago, but it’s not to late to learn about and implement its requirements. As Thomson Reuters has indicated, the biggest problems stem from ignorance. If you take the time to understand the GDPR’s requirements and how to meet them, you can boost your chances of avoiding a data breach or privacy violation.

You don’t even need to be fully compliant to reap the benefits. The ICO (Information Commissioner’s Office) has said it will be lenient on organisations who can demonstrate that they are taking steps to meet the GDPR’s requirements.

Simply getting started will therefore be a major positive step, one that you can build on over the coming months. You can find out where to begin with the help of our GDPR guidebooks.

EU GDPR, A Pocket Guide provides a comprehensive introduction to the Regulation, explaining in simple language the obligations of data controllers and processors, the steps you must take to secure personal information and the data subject rights you must comply with.

Meanwhile, EU GDPR – An Implementation and Compliance Guide contains practical advice on how to meet the Regulation’s requirements. Its detailed commentary on the Regulation and explanation of the changes you must make to your data protection regime make it an ideal companion to your implementation project.