Deloitte has conducted a General Data Protection Regulation (GDPR) benchmarking survey across a sample of organisations and industry sectors in EMEA. The aim of the survey was to understand how organisations are preparing for GDPR compliance, how advanced their implementation plan are, and how confident are they of achieving their goals by 25th May 2018.
“GDPR is the biggest overhaul of Europe-wide data protection rules since the 1995 EU Data Protection Directive, covering organisations of all sizes and sectors, and introducing new business responsibilities. The complexity of GDPR has already seen many organisations opting to mitigate risk, rather than strive for full compliance” said Peter Gooch, cyber risk partner at Deloitte.
“According to a recent survey Deloitte conducted, just 15% of organisations are aiming to be fully compliant by the 25th of May. It’s likely that everyone in the UK will have their data held in breach of the regulation in one shape or form.
“Nevertheless, fines could amount to 4% of global turnover. Organisations are very aware of this as they implement their GDPR strategies.”
On ‘re-consenting’, such as opting in to newsletters, Gooch added: “Re-consenting exercises are seeing response rates as low as 10%, drastically reducing the reach of campaigns, but at the same time reaching on average a much more engaged audience.”
Facts and figures on General Data Protection Regulation (GDPR):
- As of 25th May, significant personal data breaches must be reported to the regulator within 72 hours and potentially to customers without “undue delay”;
- Fines could potentially be up to 4% of global turnover; and
- A re-consenting exercise may be required in instances where current consent gathering does not meet GDPR’s higher standards.
Findings of 2017 Deloitte survey:
- By 25th May, just 15% of organisations surveyed by Deloitte in December expected to be fully compliant;
- By 25th May, just 38% of data controllers expected to have reviewed all processing contracts;
- 17% of organisations planned to introduce a new solution to manage consent;
- Just 35% of organisations had a data breach reporting procedure aligned to GDPR requirements;
- Less than half (48%) of organisations had a Privacy Impact Assessment procedure in place;
- 52% of organisations had chosen a risk-based, defensible position; and
- 33% organisations had not determined headcount increase requirements.
Five greatest challenges to organisations:
- Ensuring that consent to hold data - where required - is informed, unambiguous and recorded;
- Developing a culture of privacy by default, while not strangling the business of the benefits of appropriate data use;
- Keeping record of decisions and positions of accountability, and demonstrating compliance;
- Estimating and securing the operational and headcount requirements to deal with the new regime long-term; and
- Transitioning programme activities that have been running into sustainable business as usual activities.
Top tips for organisations:
- Ensure all data holders are made aware of their accountability for handling personal data;
- Agree responsibilities across different parts of the organisation and ensure the approach is consistent;
- Perform risk and cost-benefit analysis to ensure any GDPR strategy meets appropriate requirements;
- Ensure internal messaging sets out the importance of the topic and the role of the individual; and
- Define a long-term operating model that ensures technology and responsibilities are monitored and assessed on an ongoing basis.
For additional information or to view “The General Data Protection Regulation Benchmarking Survey” click on the link https://bit.ly/2s8sU54.