95% of firms not ready for General Data Protection Regulation

Posted on 26 Apr 2018 by Jonny Williamson

New research has shown that 95% of European businesses are not ready for the General Data Protection Regulation (GDPR) a month before it comes into effect.

95% of European businesses are not ready for the General Data Protection – image courtesy of Depositphotos.

Even though 97% of organisations admit that the implementation of the GDPR will affect their business, just 5% say they are fully prepared for the new data regulation, with 33% stating that they are just over half way to compliance.

The GDPR comes into effect on 25 May 2018 and will require all organisations to comply with stricter rules concerning the data protection and privacy of data subjects (citizens) within the EU.

Failure to comply could result in fines of up to €20m or 4% of an organisation’s annual global turnover, with supervisory authorities expected to crack down hard to encourage greater compliance.

Just four weeks away from the deadline, the research from the Cybersecurity and Information Resilience division of BSI has found that European businesses are aware of the looming deadline – but far from ready.

Over half of organizations surveyed highlighted their concern regarding the role of their employees in GDPR compliance, with one in five businesses revealing that they had experienced a data compromising incident in the past 12 months.

The Data Protection Commissioner reported 2,795 valid data security breaches in 2017, an increase of 26% from 20161.

The research also revealed that:

  • One in five senior managers are actively engaged with the GDPR on behalf of their organization
  • 36% are allocating a substantial level of resources to meet GDPR requirements
  • 97% of organizations admit that the GDPR will affect the way they conduct their business

Data Protection Officer (DPO)

While specific sectors (e.g. public authorities) and organizations engaged in high risk data processing are obliged to appoint a Data Protection Officer under the GDPR, the survey found that:

  • Only 27% of organizations have a DPO training programme in place
  • More than half of organizations do not provide data protection training to employees
  • 63% of businesses have not assigned a DPO

Privacy Impact Assessments (PIAs)

An additional key requirement of GDPR is Privacy Impact Assessments (PIAs) (a risk-based assessment used to ensure that the rights and freedoms of individuals are protected when any processing of their data is performed by an organization).

Alarmingly the research revealed that over 40% of organisations surveyed weren’t aware that PIAs will be a mandatory requirement and only 12% claimed to have a good knowledge of PIAs.

Stephen O’Boyle, head of Professional Services at BSI, said: “There’s a lot of talk surrounding the GDPR but with less than one month to go our research shows that organizations are still unprepared and don’t fully understand what’s required of them. Becoming GDPR ready is less complicated, less expensive and less daunting than many businesses think.”

Get insights like this delivered straight to your inbox

5 Digital Briefings | 5 Front-of-Mind Topics | 5 Days a Week

  • Monday: Manufacturing Innovation
  • Tuesday: Manufacturing Leadership
  • Wednesday: Digital Transformation
  • Thursday: Industrial Automation
  • Friday: Industrial Internet

Sign up for free here.