Out-Law News | 25 May 2017 | 9:30 am | 3 min. read
The General Data Protection Regulation (GDPR) will apply from 25 May 2018 and place a raft of new requirements on organisations over the way they process personal data. Businesses face potential fines of up to 4% of their annual global turnover, or €20 million, whichever is highest, if they fail to comply with the new rules.
Despite this, however, 42% of IT decision makers at large companies based in the UK, France, Germany and the US, surveyed by Varonis Systems, said they do not view compliance with the GDPR by 25 May 2018 "as a priority".
According to the survey report, 90% of the 500 IT decision makers surveyed believe the GDPR contains provisions that "represent a challenge to their organisation". Complying with rules that give data subjects a qualified right to erasure of their data, new record-keeping duties, and rules regarding the security of personal data processing, were identified as the top three challenges to businesses.
Under the GDPR, many organisations will be obliged to carry out data protection impact assessments (DPIAs) prior to undertaking new personal data processing activities. However, the Varonis Systems survey found that 32% of businesses have not carried out a DPIA, or an internal audit of what can access the personal data they hold, in the past year.
Where DPIAs or internal audits were carried out in the past year, 58% of businesses found at least one instance where there was "overly permissive data access policies giving free access" to personal data, according to the survey report.
The data protection risks posed by the 'bring your own device' (BYOD) trend was also highlighted in the report. Almost half of the survey respondents (49%) said employees' personal devices was one of the top three "greatest challenges" for complying with the GDPR facing their organisation when assessing their organisation's "entire IT environment".
According to the survey, businesses view the BYOD risk as greater than storing personal data in the cloud or on workstations in company premises.
Varonis Systems said that 91% of the businesses surveyed believe the GDPR will have benefits for their organisation. More than half of businesses (60%) believe that they will gain "a competitive advantage" over other organisations in their sector if they comply with the GDPR.
According to the survey, 44% of businesses also believe they will be less likely to experience a "high profile data breach which would prove damaging to their reputation" as a consequence of the new Regulation. The GDPR will require organisations that experience data breaches to notify both regulators and affected individuals under certain circumstances.
However, "business drawbacks" stemming from the GDPR, including increased costs in ensuring compliance and more job complexity, were noted by a majority of respondents.
In addition, 68% of the businesses surveyed believe that a UK organisation "will be made an example of" if they are found to be in breach of the GDPR "as a result of Brexit".
Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said: "An increasing number of businesses, outside just the usual sectors, increasingly report – in their annual accounts, and in other channels – on the importance of their data assets. Similarly, an increasing number apparently fret about cyber risk as a significant issue on their risk registers, as they continue, or in some cases begin, their 'digital' projects."
"In this context, strategic thinkers in these businesses will be looking at surveys like this one and ask themselves how they can most effectively position their businesses to take most advantage of their data assets, including, in some cases, how they can derive competitive advantage by complying with GDPR," he said.
"In terms of negative incentives for compliance, seasoned data protection officers and their colleagues appear to have moved on from worrying overly about the possible fines they might face, to consider the impact of other, in some ways more troublesome, powers of the data protection authorities under GDPR. Those further powers include powers to stop data processing, order compliance, and to order communication of a personal data breach to customers or employees. These should be of at least as much concern to boards, and, with a year to go, a powerful incentive to consider GDPR priorities afresh," Dautlich said.