The European Union introduces GDPR at a time when the world needs to strengthen consumer privacy rights and enhance data governance. Given the importance of this law, several studies have been conducted to assess the organizations’ level of preparedness for compliance with GDPR requirements.
The latest survey conducted by Alert Logic revealed that only 5% of companies are compliant with the upcoming EU data protection law. It is evident that most firms are headed to a difficult business environment because most of their operations would be deemed illegal and punishable by GDPR law come May 2017.
With just 5% of European companies prepared for GDPR, thia implies that 95% have less than one year to make the necessary organizational changes. According to the survey findings, 77% of organizations claimed to be familiar with the new law. Worryingly, just 5% of companies are compliant with the requirements yet 77% claim to be knowledgeable of the provisions of GDPR. These results point to one concern; most companies have ignored the calls to lead their organizations into compliance given that they know the applicable provisions.
The GDPR Penalty Regime
Going by the study findings, GDPR authorities are likely to penalize many companies because most of them will not be able to satisfy all the requirements. In fact, the study shows that 27% of organizations are not sure if they will be ready by the time the new EU regulation becomes effective. Such non-compliant organizations risk losing business and revenues as they will be forced to pay fines. GDPR introduces a harsh penalty regime which may be disruptive to most non-compliant companies. EU authorities will be standing firm on adherence to the new law to uphold privacy and avert data breaches that have cost many companies billions through data integrity attacks.
GDPR introduces several important changes that aim to ensure enhancement of data security, reduction of the time firms take to detect breaches and empower them to become proactive in identifying and communicating data breaches. However, many organizations face various challenges that impede achieving compliance. According to the survey findings, half (50%) of the surveyed companies indicated that financial constraint was the greatest challenge to GDPR compliance. Lack of in-house IT expertise was another significant hurdle reported by 48% of the study participants. Insufficient knowledge of the provisions of this law was also cited by 37% of the sampled organizations as being a challenge to becoming compliant with the law.
Data protection by design and by default
Most companies are concerned with Article 25 in the GDPR legislation. This article outlines the approach that data controllers should take by introducing protection by design and by default. The implementation approach taken by article 25 requires firms to adopt privacy and data protection strategies that begin from scratch. This may involve substantial redesigning and investment in protection controls and processes. The companies’ concerns with Article 25, therefore, could be due to the need of a lot of financial resources to finance the entire process. This possibly explains why most organizations believe that lack of finance is the most significant challenge to attaining compliance.
The Alert Logic study revealed that many organizations find it difficult to adhere to their own data control processes. The results indicate that 61% of companies had formal processes that notified authorities in case of a data breach.
However, only 39% could follow those processes as required. This finding implies that compliant companies could still face data breach penalties as a result of failing to follow due processes. This is despite the fact that 42% believe that just a few organizations will fall victim of the huge fines.