More than half of all organisations across the UK are behind on their preparations for GDPR, which is expected to heap significant pressure on IT and DevOps teams, according to one leading industry figure.
Dave Rogers, business development manager and product specialist at King of Servers, recently conducted a GDPR ‘call-out’ across multiple industries to find out how well prepared IT departments are for the changes that will be brought about by the legislation.
>See also: GDPR: What do you need to know?
However, he found that the majority of organisations are doing nowhere near enough to ensure they meet the minimum compliance, and one of the symptoms of this lack of preparation will be a significant impact on IT departments.
An overview of GDPR
General Data Protection Regulation (GDPR) aims to improve and unify data protection measures for all residents of the European Union (EU), and is due to replace the Data Protection Directive, which came into force in 1995.
The central objective of the regulations is to make sure data is not misused by companies and that the public’s right to privacy is maintained.
The legislation was adopted by the European Parliament in April 2016, giving companies within member states two years to ensure their data protection measures meet the requirements of GDPR. The deadline for compliance to GDPR is 25th May 2018, and fines for not complying could be worth up to 20 million euros, or 4% of the company’s annual turnover – whichever is greater.
Even though Britain is due to leave the EU, the government has confirmed it will still adhere to any EU law that is currently subjected to, even after Brexit.
The GDPR ‘call-out’
Over the past few months Dave has been interviewing organisations to find out how far along they are in their preparations for the May 2018 deadline, focusing specifically on projects within the IT department.
However, at the end of the call-out, Rogers found that over half of all organisations are still behind where they should be at this point. Companies in marketing and retail have some active projects ongoing, but GDPR-related activity is sporadic in other industries.
“This is driven by unclear executive ownership and uncertainty caused by Brexit. As the deadline looms and the UK government reaffirms their commitment to GDPR post-Brexit we will find renewed focus, however, the delays so far will manifest themselves as increased pressure on IT and DevOp functions to meet the minimum compliance,” he explained.
He says that, at this stage, organisations should have a clear understanding at a legal, governance and operational level of their obligations under GDPR, in addition to the scale of impact within the organisation at the highest level.
Rogers advises that companies should carry out a ‘GDPR gap analysis’, with the output of this analysis to include IT departments, as some of the gaps found are likely to be caused by the capabilities of current systems in place. The IT function should then address these gaps by creating a series of GDPR transition projects.
He believes GDPR in itself should not drive significant changes in IT infrastructure or IT security, as these have always been required under the existing Data Protection Act.
But what he did find during the call out was that a number of projects that had once been seen as ‘nice-to-haves’ are now getting given budget and renewed focus in light of GDPR. As such, IT departments should be prepared to review and pick up these stalled projects.
The biggest challenge
Rogers believes that there will be a range of challenges facing IT departments as the pressure starts to mount, but the main obstacle to overcome will be surrounding the ownership and identification of data within an organisation. The difficulty will come in accurately identifying what data is held, where and for what purposes.
Organisations should typically begin with a data flow audit, with the aim of identifying any personal identifiable data in the organisation and how it is used and shared. Once this flow is identified, a risk assessment can be undertaken to determine any risks associated with that data, followed by a remediation plan to mitigate those risks.
But that appears to be a pipe dream for the majority of organisations across the UK, which is set to cause headaches for IT professionals.
“At this stage, all organisations should have an understanding of how GDPR will impact them, which will drive a programme of work in their IT departments – with clearly identified budgets and a clear understanding of implementation,” Rogers explained.
“In reality, however, far too many organisations are behind the curve and are putting pressure on IT departments as they see them as the fix to GDPR, leaving IT with no budget and little sponsorship trying to plug the unknown gaps in the organisation. And I suspect this will only get worse as we progress into 2018.”