ExchangeWire Research reveals a universal lack of understanding about the complexities of the upcoming GDPR, pointing to a fundamental lack of preparation and severe risk of non-compliance. Insurance, finance and banking sector appear to be ahead of the curve; retailers lag behind.
– Just 3% of professionals whose role involves consumer data collection, storage, or processing fully understand what is covered by the upcoming GDPR
– However, only four in every ten (42%) say their company will use independent legal advice
– One-third (32%) anticipate a significant impact, despite a lack of understanding
– Data professionals in the insurance, finance, and banking sectors feel well-prepared for the impact of the GDPR – those who work in the retail sector lag significantly behind
– Tactics considered for meeting new requirements vary by sector, based on existing practices – there is no one-size-fits all solution
What is the GDPR?
The General Data Protection Regulation (GDPR) comes into effect in May 2018 and covers: Individuals’ (consumer) rights when it comes to understanding and choosing how their personal data is used; Businesses’ accountability for data control and processing; Governance of data; Data breach notification processes; and transfer of data.
The GDPR applies to all companies that are deemed data processors or data controllers.
In order to understand how widely the regulations are understood, and how prepared organisations are for the required changes, ExchangeWire surveyed 200 professionals whose role involves data collection, storage, and processing.
How well understood is the GDPR?
An optimistic third (32%) of respondents say they fully understand the regulations and how their company needs to adapt to comply. However, only six respondents out of 200 (3%) of our respondents correctly identified aspects covered by the GDPR and did not select any of our red herrings (figure 1).
“There is a lot of over confidence and not so much knowledge”, says Nicola Fulford, commercial, technology, and data protection lawyer at Kemp Little.
How are companies preparing to comply with the GDPR?
More than four in every ten (41%) respondents say they “feel very well prepared”, this rises to 61% in the insurance, finance, and banking sectors (figure 2).
Overall, a minority 11% report they “do not feel prepared”, however this rises to 19% in the retail sector (figure 2). “Retailers, typically, have not had to invest heavily in compliance teams or frameworks, so they have more to do to get ready for the new regulations”, suggests Fulford.
Technology has driven significant shifts in the retail sector, one of which is the introduction of e-receipts, which have a big impact on the data held within the business. “Retailers may not be as savvy as other types of businesses, such as finance and telcos, who have been under scrutiny from a data perspective for a lot longer”, comments Fulford. “It’s a lot easier to build on an existing, compliant framework than it is to build something from the ground up.”
One-third (32%) of respondents anticipate that the GDPR and changing requirements around data governance and data protection will have a very significant impact on their company. (Figure 3)
Overall, 42% of respondents say their company has considered, and are planning to use, independent legal advice. (Figure 4) This rises to 55% and 53% in the insurance, finance, and banking sector and the telecommunications sector, respectively. (Figure 4) Again, the retail sector lags behind with only 39% seeking and using independent legal advice. (Figure 4)
“It’s somewhat surprising that less than half (42%) say their company is looking for outside legal advice”, says Todd Ruck, chief privacy officer, Evidon. “Companies will need help from experts to translate 99 articles (39 that require documentation) into action and prioritise what needs to be done in 14 months”, Ruck adds.
Businesses could be reluctant to work with law firms simply because this is a partnership that has not really existed before. By and large, operations within businesses have been solely defined by the business, so this is unchartered territory.
However, Ruck points out a significant benefit to companies who form a legal partnership: “Running the contract through a law firm means a company is protected if something goes wrong.”
How are businesses preparing?
There are many different tools and processes that businesses can implement to comply with the new regulations. In figure 5, we see that different types of organisations are considering different approaches.
“Data controllers come in all different shapes and sizes, with different data and different purposes, so there is no one-size-fits-all solution”, says Fulford.
Those in the insurance, finance, or banking sector are prioritising solutions that allow them to match and enhance customer data (35%). “Finance companies will have customers who have disparate accounts – one current account, an ISA, a savings account, etc. So, even though all products are with the same back, the data may not all be in the same place. The idea of a single customer view is talked about a lot, but rarely a reality”, comments Fulford.
“Retailers, on the other hand, are more likely to have a single set of data”, Fulford explains. However, because of a lack of industry data regulation in the past, retailers are looking to improve their data preparation techniques.
What about the future?
The future will be different depending on the the type of business. “In some ways, the exercise of working out what data you have, why you have it, and what you’re using it for can lead to business improvement through insight and data connections – and not just have a negative impact”, says Fulford.
There will also no doubt be changes as the IoT takes off.