With just 6 months to go until the EU GDPR becomes enforceable, there doesn’t seem to be a day that goes by without research and statistics showing alleged “unpreparedness” for the new regulation, and a survey conducted for RSM Global (the audit, tax and consulting network) by the European Business Awards was brought to our attention as it claims that 92% of EU businesses are underprepared for the EU GDPR.
The results from this survey of EU businesses (https://www.rsm.global/news/92-european-businesses-are-unprepared-gdpr) also report that:
- 28% are unfamiliar with the new regulation they will need to adhere to in less than seven months
- Over half (51%) believe the regulation is too complex for SMEs and middle market businesses, but agree that increased regulation around the use of personal data is necessary.
Whilst the survey doesn’t include specific details about the companies who participated in this research, they do say that the survey was completed by 400 of Europe’s successful business leaders, who were asked about their preparedness for GDPR and how the new regulation will impact their operations.
Given the number of data breaches reported in various media over the last 18 months it probably shouldn’t come as too much of a surprise to read such stats. However, when one considers the types of businesses who have reported data breaches and volumes of personal information being compromised, it can be argued that there is cause for concern as to how seriously our personal information is being taken by companies and organisations.
Of course – it’s not just EU businesses who are underprepared. One only has to look at companies outside of the EU who have been subject to hacks and data breaches. Businesses who operate within the Finance/Insurance sector, Telecommunications & Utility Suppliers, Retail, Travel (Hotels and Airlines in particular) will more than likely control AND process customer (and employee) information (such as names, physical/email addresses, drivers’ licenses, financial data such as Credit Card details for example) which is both highly sensitive, and highly valuable.
It has also been well documented that even well-known digital media organisations (search engines for example) are susceptible to a data hack or breach, and Government elections have (allegedly) been subject to vulnerabilities. Let’s not forget Online Dating sites, and global accountancy/consultancy firms, Councils, Hospitals/Health organisations (credit scoring bureaus and ride-hailing platforms could also be included in the list as well) – all who have experienced a data breach where personal information has been compromised.
The ICO recently published their latest guidelines for organisations around the EU GDPR, which includes detailed information on (amongst other updates) the Codes of conduct and certification. They state that in order to help comply with the regulation, the Codes of Conduct should cover topics such as the collection of personal data, pseudonymisation of personal data, and also states that technical and organisational measures including data protection by design and default as well and security measures, data transfers outside the EU, and breach notification (if you’re not familiar with the any of the terminology or definitions that are set out within the EU GDPR we’ve discussed some of the terms in our previous blog post here).
Whilst the ICO state that signing up to a code of conduct or certification scheme is obligatory, they do go on to say that “adherence to a code of conduct may serve as a mitigating factor when a supervisory authority is considering enforcement action via an administrative fine”.
If you are in the process of implementing systems to ensure compliance and would like to find out how GDPRPLAN.com can help through our staff training and awareness programmes, click here to get in touch.