Organisations need to do more work to ensure compliance with the European Union’s General Data Protection Regulation (GDPR) which is due to come into force in May 2018. While organisations are largely aware of their upcoming obligations, levels of maturity to meet the new standards are low.
Overall, organisations are only complaint with less than 40% of the principles laid out in the GDPR. DLA Piper’s Global Data Privacy Snapshot 2017 notes that some industries are progressing towards compliance better than others. The hospitality and banking sectors are ahead of the rest with 48% and 43% compliance respectively, compared to the average of around 37%. Healthcare and manufacturing are at the bottom end of the scale with 34% and 35% compliance.
Data breaches are already the second greatest concern for business continuity professionals. That’s according to the latest Horizon Scan Report published by the Business Continuity Institute. Unless organisations become compliant by the time the GDPR comes into force then a breach could become even more disruptive.
Patrick Van Eecke, partner and global co-chair of DLA Piper’s Data Protection practice, said: “The responses show that many organisations still have work to do on their data protection procedures. Any organisations operating in Europe will need to see major improvements in their score by May 2018 if they’re to avoid potentially heavy financial penalties under the GDPR, not to mention serious reputational damage as people become more and more aware of their rights in this area.”
Van Eecke added: “With more and more organisations placing data centre stage, data protection will become an increasingly prominent issue. It’s vital that organisations invest now in the strategy and processes needed to help them to meet their obligations.”
Jim Halpert, the US co-chair of DLA Piper’s Global Data Protection practice, added: “As privacy requirements such as privacy by design, data portability and extensively documenting a privacy program become more complex, compliance demands significant operational work that takes time. In this sense, the results are not surprising. The time to step up compliance efforts is this year, not next.”
The GDPR will apply to processing carried out by organisations operating within the EU and to organisations outside the EU that offer goods or services to individuals in the EU.
The UK Government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Organisations failing to comply with the GDPR after its implementation in 2018 could face fines as high as 4% of global annual turnover.