If the report published by FTSE350 Cyber Governance Health Check represents facts on the ground, then most of the UK businesses still have a long way to go regarding preparations for compliance with the General Data Protection Regulation (GDPR).
They are equally at high risk of incurring substantial financial losses in fines as per the stipulations in the new law. Companies operating in Europe have no choice but to put systems and processes in place that guarantee privacy and data protection. This is of paramount importance at this point given there is barely seven months to the GDPR deadline, May 25 2018.
Research findings indicate that only 6% of the United Kingdom firms are completely prepared for the new law. This revelation speaks volume about the UK companies’ level of preparedness. There might be an urgent need for the companies to improve their preparations for satisfying the compliance requirements. The remaining time may not be sufficient to allow most UK organizations satisfy all the requirements if they don’t speed up the process.
GDPR Requirements Unawareness
Despite the implications of the changes, a majority of the respondents lack sufficient knowledge of the GDPR requirements. As demonstrated by FTSE350 Cyber Governance Health Check Report, 60% of the surveyed individuals admitted they were only slightly or somewhat aware of the requirements for their businesses. This complicates the process of aligning company systems and organizational structures within which processes are performed to the GDPR requirements. A lot of policies regarding privacy and data protection would have to be formulated. Policy formulation can only be effective if the policymakers understand the GDPR requirements. This implies that many companies risk facing non-compliance penalties.
Effects of Brexit
Brexit has been one of the UK’s false hopes. Most of the businesses thought that the GDPR would stop applying post-Brexit. Others disregarded its seriousness basing their decisions on previous similar regulatory laws such as Y2K which ended up being no big deal. It is important, however, for the UK companies to note that the GDPR is already documented in the country’s statute books. Consequently, there is no any other way out of the non-compliance penalties except meeting all the requirements. The current situation implies that most firms face reputational damage as well as a fine of up to 4% of the annual global turnover.
GDPR compliance is more than just the assessment of the IT systems used to track customers’ data. Assessment of IT system is indispensable to compliance, but process management and adherence play the most significant role in achieving compliance. The best strategy requires aligning the processes for sourcing, storing, retrieving and erasing data to the requirements of the law. GDPR sounds more of a technology issue. However, several other important aspects play significant roles in the process.
For instance, a firm would have to identify a technology that helps in resolving the requirements for opt-in from users. They will also need to establish safe means of collecting data from the consumers, as well as mechanisms for identifying breached data immediately.