With weeks to go before new data protection rules come into effect confidence has fallen sharply among British company bosses that their businesses will be ready in time.
Only six in 10 members of the Institute of Directors believe their organisation will be fully compliant with the General Data Protection Regulation, which is due to take effect on May 25.
As the advent of GDPR has drawn closer and its impact has become clearer, there has been a marked drop in the number of business leaders who say they are “very confident” their organisations will be fully compliant with the new rules.
In the IoD’s last survey on the subject in August 2017, 43 per cent of those surveyed expressed a high degree of confidence over their preparations and state of readiness. By last month’s survey, however, that figure had dropped to 16 per cent.
GDPR, which will affect any organisation that processes the personal data of consumers and citizens inside the EU, will introduce tougher rules around privacy, user consent and the notification of data breaches. It also makes the concept of “privacy by design” — that is, putting data protection at the heart of their systems and operations — a legal requirement for the first time.
The British government has introduced a data protection bill that will supplement and in some cases extend the reach of GDPR in UK law. That bill is now in its final stages.
Many businesses have struggled to understand the full scope of GDPR’s requirements. These include broader definitions of what constitutes personal information, ensuring an organisation has a legal basis for processing it (of which consent is only one option), and establishing just how far networks of data-sharing extend.
Jamie Kerr, head of external affairs at the IoD, said small and medium-sized enterprises were finding it difficult “to digest the sheer scale of the changes”.
“GDPR has been a long time coming for businesses but it is only proving more formidable as the deadline looms and companies drill down into the detail,” he said.
“The regulator has assured small businesses that there will be not be a sudden inquisition once the rules enter into effect but with such large penalties for non-compliance, firms must assess what they have to do to avoid falling foul of the legislation, and they must do so soon.”
Fines for the most serious breaches of GDPR are set at £17m or 4 per cent of annual global turnover, whichever is the greater.
The International Association of Privacy Professionals (IAPP) and EY, the consultancy, estimate that the world’s biggest businesses will spend $7.8bn to get themselves in full compliance with the regulation.