In under three months’ time, GDPR comes into effect. Dire warnings about huge fines for businesses have been the up-in-lights feature of reporting about the forthcoming European Union regulation, to the detriment of other aspects, including the responsibilities it places on organisations.
GDPR involves a significant focus on transparency and accountability, and mandatory data breach reporting (unless the breach is unlikely to result in a risk to those whose data is being processed). It also provides for enhanced rights for those whose data is being processed, as well as enshrining the right to compensation if their data is abused.
Experts on data protection and data governance have been in demand in recent months as organisations scramble to put themselves on a sound compliance footing by the time the regulation comes into effect on 25th May.
Dr Katherine O’Keefe of the consultancy firm Castlebridge says: “One of the biggest misconceptions I think that people have around data protection is that it’s a technology issue.”
She argues that the regulation is about trying to protect people and their human rights, saying: “It’s not just a matter of making sure we have computer security – that’s a very important part of it – but it’s making sure [organisations] treat us as human beings with respect and making sure they have proper governance around what they are doing.”
The UK’s data protection authority, the Information Commissioner’s Office (ICO), echoes this sentiment. “Organisations that seek merely to comply with the GDPR and treat it as another box-ticking exercise are missing the point,” information commissioner Elizabeth Denham said at a recent conference. “And they miss a trick because this is about restoring trust and confidence. Only one in five people in the UK trust organisations to look after their data. That’s not good enough.” “Good information handling makes good business sense. You’ll enhance your business’ reputation, increase customer and employee confidence, and by making sure personal information is accurate, relevant and safe, save both time and money.”
However, awareness of GDPR is still “sadly lacking”. And according to a GDPR compliancy benchmarking survey conducted by Deloitte, only 15 per cent of UK organisations expect they will be compliant as the new GDPR regulations come into effect.
This is particularly true among smaller businesses. Michele Neylon, chief executive officer of the domain registrar and hosting company Blacknight Solutions, believes overall awareness of GDPR among small businesses is presently insufficient. “While the bigger businesses might be aware and many have either done a lot of work on it, or are at least trying to address it, a lot of smaller businesses aren’t aware how it impacts them,” he says.
There is even less clarity among consumers. Our own GDPR & Data Privacy research shows that fewer than one in five UK consumers are confident their personal data is used in the best possible way by businesses. The survey also revealed that more than a third (34%) of UK consumers plan to exercise their right to be forgotten after the GDPR compliance deadline, and three-in-five are questioning how much data businesses hold on them.
Yet the research also highlighted a lack of knowledge among consumers of the changes being ushered in by the regulation, with only one-in-four respondents agreeing they have an understanding of what GDPR is and how it affects them.
So one thing is certain: with such a short period of time left before GDPR goes live, it’s vital that we all understand what it means for us, both as businesses and as consumers.
We recently held a GDPR event at the7stars with a number of leading industry speakers, to help promote a better understanding of the major issues. You can view edited highlights from all speakers and the panel debate – see here.
Finally, the ICO has now published a lot of relevant content on its website and is a great place for further guidance on GDPR preparations – see here.