Nine months on from the implementation of the General Data Protection Regulation (GDPR), there’s an alarming amount of ostrich activity going on. Recent research has shown that 70% of companies are still not fully compliant and are yet to get their heads around what’s expected of them.
A new study by office equipment company Fellowes found that 17% of employees still haven’t been provided with new data protection guidance, and one in ten don’t know who in their organisation is responsible for the GDPR. A further 33% admitted to regularly leaving confidential data unattended!
The reasons for this slow uptake vary. In some organisations, it comes down to a genuine lack of understanding about the new laws. In others, it’s about being overwhelmed and seeing the development of new policies as just another onerous task on the to-do list that they’ll get around to when they have the time. Other managers just think it’s a lot of fuss over nothing – the likelihood of any major data problem arising is minimal, and it’s just an excuse for IT security people to take their money. After all, nobody’s even been fined yet.
And that’s the important word – YET
The European Data Protection Supervisor, Giovanni Buttarelli, recently told Reuters to expect the first round of fines to take place by the end of the year. The commissioners have reportedly been “overwhelmed” with consumer complaints since the GDPR came into force on May 25th, and when do come to enforcing them, the fines won’t be small. Any organisation found to be in breach of the new rules will face fines of up to €20 million, or 4% of global revenue – whichever is higher. Buttarelli believes those likely to be sanctioned will come from all around the EU, including a number of public bodies. He also warns that there’s no excuse for companies to keep dragging their feet
“E-privacy is simply indispensable. It is essential, it is a missing piece in the jigsaw of data protection and privacy. (Failure to update) would really be a dereliction of duty.”
On the flip side, the Information Commissioner’s Office – the UK’s own data protection body – has been inundated with calls that don’t meet the threshold for a data incident. While it’s encouraging that these organisations are taking their obligations seriously, it demonstrates a huge lack of understanding about the GDPR and what it really means for businesses.
Many reports received by the ICO are incomplete or unnecessary, suggesting that companies think they need to report everything data related, like someone leaving their desk for 30 seconds with a client file on display. While this is clearly bad practice, it’s not a breach until someone else gains access to the file and uses it unlawfully.
The bottom line is this. If you’re still not fully compliant with the GDPR, you can’t go on sticking your head in the sand. The fines are on their way, and by the end of the year lots of companies will find themselves significantly out of pocket. That’s bad enough for the big fish, but smaller businesses who just didn’t manage to get around to sorting things out have the most to lose.
So what happens next?
Here’s what we can do to help. We can make sure that from a technology point of view, you are fully up-to-date and protected. That means making sure your data is safe and accounted for at all times. And you don’t have to worry if someone in your business makes a small mistake, such as leaving a laptop on a train. Essentially – we will give you peace of mind about the security of your data under GDPR. So you can get your head out of that sand and dare to look at the light again.
Iron Dome can assist you with managing your compliance through the use of network tools that provide to you monthly reports showing exactly what data is where and how it is stored. These tools also create task lists for the relevant persons to action within a defined period to get back into compliance. This process is automated as much as possible to make compliance part of the business processes and as smooth as possible.
GDPR has many more aspects to its regulation including the right to be forgotten. We can help you implement systems and processes that make these types of requests easier to manage. Speak to our GDPR experts today on: 0203 358 0203