It doesn’t matter if they were given more than two years to get ready, with six months to go until the EU GDPR deadline, it’s going to be a sprint finish for a worryingly large number of companies.
That’s the view of law firm Blake Morgan. After conducting a survey looking into the readiness of companies in the UK, a high number are at risk of non-compliance. We’ve been talking about companies not being ready for the new regulations for some time now, but perhaps a conversation which we should start having is whether they actually care. There are only so many warnings which can be given before you realize no-one is actually listening.
According to the research, only 13% businesses had updated privacy policies, one of the significant requirements of GDPR. 23% said they were unaware of the new data protection laws despite the looming deadline of 25 May 2018. 39% had not taken any steps at all to prepare for the new law. 38% were not confident they would be able to comply with GDPR by 25 May. 21% do not currently have a senior person in place responsible for data protection.
These statistics do not make us believe businesses in the UK are that worried about the regulations or the consequences of being non-compliant. Just a reminder, non-compliance means a fine of up to £17m or 4% of worldwide turnover, whichever is greater.
“GDPR Compliance is good corporate housekeeping,” said Simon Stokes, a Partner specialising in data protection law at Blake Morgan.
“Not only will it avoid running the risk of financially and reputationally damaging fines or sanctions – ultimately it will assure the public’s trust in your organisation at a time when data privacy and security are more important than ever before. As the UK’s data protection regulator ICO has recently highlighted GDPR is essentially about trust.”
Perhaps companies are calling the bluff of regulators. Maybe they don’t think regulators will follow through on the fines? Maybe they don’t think their customers care that much about data protection? Perhaps the concerns of regulators and customers is secondary to commercial concerns?
The latter wouldn’t surprise anyone at Telecoms.com, as data protection doesn’t seem to be more than a PR tool right now. If it was anywhere near the top of the agenda, would we be seeing this many data breaches? Would there be any reason for websites like haveibeenpwned.com?
The sceptic in us just says these organizations do not care that much about data protection. If there is a breach or a leak, just ride the negative press for a couple of weeks and back to business as normal. The optimist in us believes these organizations have underappreciated the complexity of remaining compliant once the rules change.
In both cases, the organization is essentially saying the damage done by EU GDPR non-compliance will not be that bad. Either consciously or sub-consciously, they are prioritizing other areas over the changes which need to happen to data protection policy and processes. Either customer decision making process won’t be impacted by data protection compliance or the ICO doesn’t have the veg to follow through on the fines.
May 25 2018 will come very quickly once the new year passes, and then we’ll find out who is in trouble. The ICO might destroy its credibility by not following through on scare tactics, the customer might prove it doesn’t care about data protection and privacy, or some organizations might find themselves on the sharp end of a fine and customer churn.