Organisations are still struggling with GDPR compliance

A research from Crown Records Management has found that over 75% of organisations could be struggling with EU General Data Protection Regulation (GDPR) compliance,  introduced by the Data Protection Act 2018, a full year on from the introduction of the new regulation.

The survey was conducted by Sapio Research in March 2019. They interviewed 103 senior managers, IT and data professionals in companies with over 250 employees.

Kevin Widdop, Information Security Consultant at Crown Records Management commented: “It’s concerning to witness that a year on from the introduction of GDPR businesses are still struggling to implement effective records management processes, leaving them open to potential fines. Companies have clearly implemented GDPR policies but have failed to put the building blocks in place to live by them.

Organisations seem to be finding data retrieval, redaction and storage the most challenging areas. By reviewing internal processes and making the necessary changes businesses can reduce the risk of non-compliance. Systems that help to digitise and index all relevant data are essential as they make it easier to search for and retrieve information quickly.”

The research reveals that organisations also seem to be struggling to meet deadlines for GDPR compliance.

GDPR compliance capabilities

Major observations and conclusions from the research were as follows:

• Only 23% of businesses considered their compliance capabilities around GDPR to be very good
• Just 20% of the 100 CIOs and data professionals within large organisations that were surveyed rated their business’s ability to prove that their data collection and processes are GDPR complaint, leaving many at risk of potential fines
• Only 22% of respondents felt that their ability to confirm the identity of people making subject access requests was strong. Their ability to effectively redact information from documents if required was also a challenge for most, highlighting the need for better control over data and improved processes and systems to support GDPR compliance
• Close to half of respondents felt that their organisation’s data storage methods are in need of improvement and attention (46%), closely followed by data retrieval processes (44%) and data storage and protection (43%)
• Less than a quarter of organisations (24%) feel their ability to provide all personally identifiable data (PID) if required is very good
• Only 27% of respondents saying their ability to provide data within the timeframe if required was up to scratch

Kellie Peters, Director at Databasix concluded: “Over the last 12 months organisations have gained awareness of what GDPR is but not necessarily what’s involved with implementing a successful GDPR procedure. It’s important to understand where your data is because if you receive a Subject Access Request, you only have 30 days to provide the information. Therefore, it’s crucial you have full visibility of what data you’re holding and where.”

Room for more cybersecurity

An annual survey has illustrated the changing attitudes of organisations towards cybersecurity. According to the Cyber Security Breaches survey, GDPR has accelerated the pace of change across organisations. However, GDPR has had some unintended consequences. It has led some organisations to frame cybersecurity largely in terms of avoiding personal data breaches. These organisations were less focused on other kinds of breaches or attacks. They typically had a narrower set of technical controls in place.

The statistics from the survey result have shown a reduction in the percentage of businesses suffering a cyber breach or attack in the last year. It shows that 32% of businesses identified a cybersecurity attack in the last 12 months. This figure is down from 43% in the previous year.

The reduction is partly due to the introduction of tough new data laws under the Data Protection Act and the GDPR. 30% of businesses and 36% of charities have made changes to their cybersecurity policies and processes as a result of GDPR coming into force in May 2018.

Over the past year, there has been a significant increase in understanding about personal data, predominantly because of the implementation of GDPR. However, there still remains a perceived barrier in relation to how personal data can be used within today’s digital society.