Is the UK going to be ready for EU GDPR?

With just under 12 months to go until the European Union imposes new data protection regulations, there seems to be a growing sense of unpreparedness throughout the industry.

Perhaps it’s because of the timeframes which were involved, or a misunderstanding of what the task actually is, but non-compliance could be a very costly mistake. Considering the fines can be as much as €20 million or 4% of annual revenues (whichever is greater), there is a genuine risk of bankruptcy.

That is certainly what research from Veritas shows. 47% of the respondents fear their organization won’t meet the requirements of the legislation, with 18%  worried non-compliance could ultimately put their organization out of business. This fear, and perhaps underappreciation of the challenge, was brought to Telecoms.com attention at the Big Data Everywhere event in November when one attendee told us many organizations had undertaken a data discovery project and uncovered huge amounts of personal information they didn’t even realize they were storing.

The risk of non-compliance is partly becoming a reality because of the data-rush which the industry experienced a few years ago. When the idea of data being the new oil emerged, many companies rushed to gather as much information as possible without really knowing what to do with it. This resulted in huge mountains of intel without any real purpose, or without the organization realizing what it had collected. Before any steps can be taken to ensure compliance, organizations need to have full visibility as to what information they currently own.

“The way forward should be based upon a clear understanding of the current levels of data protection compliance within the organisation that can be mapped against specific GDPR obligations,” said Sally Annereau, Senior Data Protection Advisor at law firm Taylor Wessing.

“Given the tight timings one approach may be to identify those processing operations presenting the biggest risks to the organisation and/or to data subjects and to focus compliance efforts and resources on those areas first.

“Key components include, implementing a data protection governance framework, documenting processing, determining the need for a data protection officer and implementing formal policies and accountability controls that can enable an organisation to manage and demonstrate their compliance in practice.”

Admittedly only countries who operate within the European Union will be under the direct influence of EU GDPR, however the Information Commissioners Office in the UK has also highlighted it will put in place almost identical rules. Perhaps this is an effort from the UK government to salvage some sort of relationship as negotiations for the separation from Europe are turning sour quickly.

“Recent announcements and guidance from the ICO have caused much concern, that the interpretation of the laws is overly strict, penalising the companies most committed to best practice, honesty and transparency,” said Chris Combemale, CEO of the DMA Group.

“What the industry needs is balanced and fair guidance from the ICO and Article 28 Working Party. With just 12 months to prepare we need this guidance urgently if we’re expected to be ready in time.”

The DMA Group has highlighted awareness of the GDPR remains high at 96%, though it claims that the number of companies which believe they will either be ‘very’ or ‘extremely’ impacted by the regulations is as high as 54%. There have been a few examples of organizations which might have been compliant under the guidance of the European Union, however the ICO’s overly strict interpretation of the rules is starting to cause some concern.

Back when your correspondent was in school, his mother used to frown disappointingly at him because of last minute, unprepared cramming before an exam. I’m sure it will be no compensation to her to learn that leaders of the British economy are just as bad.