Practical Law has published a report on the results of a survey of some 248 professionals, drawn from in-house legal, risk and compliance, HR and company secretarial functions. The survey sought to find out how informed businesses are about the EU General Data Protection Regulation (GDPR), how they expect it to impact them, how confident they are about achieving compliance by GDPR implementation day, 25 May 2018, and how they plan to achieve compliance.
The report can be accessed here.
Many thanks to all those who participated in the survey and provided their comments, and to those who contributed to the design and execution of the survey and the production of the report.
When I first read the report, the most immediately eye-catching data were those which supported the notion that the GDPR represents a game-changing piece of regulation for many organisations.
For example:
- Only 19% of respondents believe that the GDPR will mean “business as usual” for their organisation.
- Most respondents feel that the GDPR will necessitate significant changes to some of their organisation’s operations.
It would seem that this perspective has been arrived at in part because the GDPR represents a much higher risk proposition than the current Data Protection Directive regime. This is underlined by the substantial uplift in fines (up to 4% of global turnover) and considerably more rigid compliance requirements such as 72 hour mandatory breach reporting.
The higher regulatory risk presented by the GDPR’s arrival coincides with an alarming increase in the number and ferocity of cyber attacks creating what some are calling a “perfect storm”. So it is perhaps unsurprising that data security (Article 32, GDPR) is cited as the principle of the GDPR causing most concern to respondents.
The elevated sense of risk and the advent of direct obligations on data processors under the GDPR has brought into focus the importance of robust processing contracts with key counterparties, highlighted as a major area of concern by the more expert respondents in particular. (See Practical Law’s Data processing clauses (GDPR version).)
For those feeling behind the curve on the GDPR, you are not alone and there are some statistics in the report that will provide at least a crumb or two of comfort. For instance:
- Over half of respondents reported that there was little awareness of the GDPR across the business.
- Nearly a quarter were not confident of complying by 25 May 2018, a substantial number blaming lack of management buy-in. (See Practical Law’s UK data protection memorandum to board of directors (GDPR version).)
- 35% of respondents reported that their organisation had not yet appointed a DPO despite recognising a need to do so. (See Practical Law’s Practice note, Data protection officers under the GDPR, Do we need a data protection officer?: flowchart and The role of a data protection officer under the GDPR: video.)
I anticipate that the report will provide a good benchmarking tool for all organisations. We have analysed and cross-referenced the survey results from several perspectives including organisation size, nature of business and industry sector in order to extract the most important trends.
The report includes detailed analysis on:
- Respondents’ and their organisations’ levels of familiarity with the GDPR.
- Impressions of the likely impact of the GDPR and levels of enforcement.
- Where the GDPR sits in the list of priorities.
- Levels of preparedness and confidence amongst respondents and their organisations.
- The particular institutional challenges respondents are facing in confronting the GDPR compliance challenge.
- The specific articles and principles of the GDPR that present the greatest challenges.
- The resourcing of GDPR compliance including a particular focus on the DPO role.
- Variances across all major sectors of the economy including private, public and third sectors.
For a briefing on the GDPR focused on the in-house audience, see Practice note, UK in-house counsel briefing: GDPR. For information generally on the GDPR, see EU General Data Protection Regulation toolkit.