The General Data Protection Regulation represents one of the biggest shake ups to how organisations protect and use their consumer data. Current EU data protection laws are not sufficient in what is now a data-driven world.
The scandal surrounding Cambridge Analytica and its improper use of Facebook’s user data, brought this issue of data protection and privacy to the forefront of national and international conversation, in timely fashion.
The GDPR will be applicable to any organisation that processes the data of EU citizens, and so is not restricted to companies based in Europe. Indeed, GDPR will greatly extend beyond the EU data protection law’s territorial reach, not only applying directly to firms based in the EU but also, for example, to those offering services to or monitoring the data of individuals in the EU, irrespective of where the firm is located.
A lot has been made of the headache GDPR is causing organisations. However, in its simplest form, this regulation is a reasonable and sensible set of rules that companies should be trying to implement. At the same time, it signifies a monumental opportunity for businesses to really understand their data, know where it and use it to improve operations and enhance the increasingly important customer experience.
One month to go
Today marks one month to go until the GDPR deadline on 25 May 2018, but how prepared are organisations across sectors and regions?
Many companies across regions are behind schedule in their efforts to achieve GDPR compliance. A major survey sponsored by international law firm McDermott Will & Emery and carried out by the Ponemon Institute has revealed that 40% of companies only expect to achieve compliance with the regulation after the 25 May deadline.
“There is a lot more work to be done for GDPR readiness,” according to Mark Schreiber, McDermott partner and a leader of the Firm’s Global Privacy and Cybersecurity Practice.
“These findings reflect the demanding nature of GDPR and the anxiety around complying with it. A key issue here is prioritising what can be done in the remaining time before that May deadline and acting on those high risk areas.”
Companies are investing heavily in attempting to achieve GDPR compliance, because of the financial and reputational damage that will incur after a breach.
Indeed, average annual budget for compliance is $13 million, according to the McDermott findings – a figure that one in three companies expects to review annually.
US companies: Are they prepared?
A significant percentage of US companies are uncertain about or unprepared for the European Union’s General Data Protection Regulation (GDPR) that takes effect one month from today, according to CompTIA.
“Confusion about the regulations remains a significant problem for many companies,” said Todd Thibodeaux, CompTIA president and CEO.
A full 52% of the 400 US companies surveyed are either still exploring the applicability of GDPR to their business; have determined that GDPR is not a requirement for their business; or are unsure.
>See also: Should the US adopt GDPR?
An issue here is understanding. “Only one in four respondents claim to be very familiar with GDPR,” Thibodeaux said. “Some believe it applies primarily to companies in the EU; others, only to large multinational corporations. Alarmingly, three in ten companies believe GDPR does not go into effect until the end of 2018.”
Indeed, GDPR may have prompted some companies to examine their approach to data governance. Though relatively few of them (12%) have dedicated data governance officers or chief data officers that may change. One in four large companies surveyed indicate a strong likelihood to hire a data governance or chief data officer within the next two years.
Robert Baugh, Founder and CEO, AmberGate, said: “The lack of GDPR preparedness in the industry is concerning, particularly given the risk of regulatory action and the potential impact to a firm’s reputation. Many firms will now need to divert significant resource and time to the project – there is clearly still much to do across most organisations. Firms will face growing pressure from an internal governance perspective, from investors, and from regulators likely to take an increasingly firm stance on the issue.”
The CompTIA survey found that US companies are split on whether GDPR will impact their business opportunities in the EU. About one-third of the firms surveyed do not believe GDPR will have an impact on their current or future approach to business in the EU – this is not the case if they want to process the data of those users from Europe.
With only 30 days until implementation, more than 50% of investment firms globally are unlikely to be ready for the GDPR. This is according to a global industry survey of over 250 financial firms carried out by Cordium.
Designed to benchmark investment management firms’ readiness for GDPR, the survey revealed a lack of preparedness in advance of the regulation implementation date. With time running out, only 2% of surveyed firms had finished putting their GDPR policies and procedures in place; 59% of firms said they were unprepared to comply with the required 72-hour window to report a personal breach to regulators; and 64% were unprepared to respond to an exercise of data subject rights.
Michael Corcione, managing director, cyber security and Data Protection Consulting Services at Cordium said: “Companies that have not yet started their GDPR program – or those still at the early stages – expose themselves to significant compliance and reputational risk. Lack of readiness is due to a failure by firms to understand their exposure to the regulation, as well as MiFID II’s earlier deadline, leaving GDPR to fall down the priority list. With just a four-week window firms should be practicing these procedures, not defining them.”
Jean-Michel Franco, senior director of Data Governance Products at Talend says, in regard to financial services: “The availability of the data which financial services organisations such as banks and insurance companies use to assess financial decisions and scenarios is fundamental to the personalised services customers expect to receive. Banks, for example, need personal data to calculate credit ratings, financial health-checks and astute investment decisions on their customers’ behalf. As a rule of thumb, the more information you give your bank, the more personalised the service they can provide.”
“However, this scenario works both ways: the more data organisations ask for, the higher the expectation of personalised services from customers. Customers need to see what their data is being used for, so transparency is key if banks and insurance firms are to build and maintain trust with customers. This is especially important for larger organisations given the emergence of data-driven fintech startups offering highly personalised and user-friendly customer experiences and services.”
“Furthermore, recent high-profile data breaches have undermined trust in financial services organisations, with consumers asking whether they are handling personal, sensitive data with a due sense of care and expertise. The General Data Protection Regulation (GDPR) is a huge opportunity for the finance industry to re-establish trust with consumers. Understanding where data is and that it is managed correctly is not only fundamental to complying with GDPR, but also to providing the highly personalised and predictive services which the modern customer expects. Therefore, GDPR should be viewed as an opportunity, rather than threat.”