100 days to GDPR compliance deadline

As the clock ticks down to the deadline to comply with the EU’s new data protection regulations, some surveys indicate there is still some confusion, but the focus has shifted from the sanctions to the benefits

Ever since the maximum fine provided under the EU’s General Data Protection Regulation (GDPR) was set, that has largely been the focus of discussion, but with 100 days to go, that appears to be shifting.

At one end of the scale, many UK businesses are under-prepared for GDPR with just 100 days to go before the compliance deadline on 25 May 2018, but at the other end, businesses are embracing the benefits.

On the negative side, many businesses are still struggling with the enormity of the task ahead, according to Kolvin Stone, partner and global co-chair of the cyber security and data privacy practice at global law firm Orrick.

“The awareness around GDPR is generally good, but the level of readiness is all over the map,” he said. “The key factors that are affecting an organisation’s ability to prepare mainly relate to a lack of senior buy-in, strong leadership, planning and resources.”

There is a pattern of organisational and structural challenges that are cause for concern, according to Julian Saunders, CEO and found of data management firm PORT.im, with many companies still in denial that GDPR applies to them.

“If a business does accept GDPR is a factor, we find that many senior managers do not take its impact seriously,” said Saunders. “It’s either viewed as a simple tick-box exercise or an issue solely for the marketing or IT team. And when businesses do realise that GDPR should be taken seriously, there is often an absence of data governance and processes that will enable long-term compliance.”

A recent government-sponsored survey revealed that less than half of UK businesses and charities were aware of GDPR just four months before the compliance deadline.

“It is astonishing that so many businesses are ignorant of GDPR,” said Saunders. “Our own research indicates that only 27% of businesses believe that GDPR applies to what they do – this is despite 72% stating they deal with personal data.”

But Saunders is among those who point out that GDPR presents an opportunity to maximise the value of data and improve the relationship with, and services supplied to, customers.

Read more about GDPR

The DMA Group, which includes the Direct Marketing Association (DMA), is also marking the 100-day countdown mark with a positive outlook.

Transparency is the key to making more consumers happy with data sharing, according to research by the DMA and Acxiom, which shows that people are increasing happy about the data they share, but transparency is the key to taking this to the next level.

More than six out of 10 consumers polled said they are happy with the amount of personal information they share, and the survey shows that this change in attitude has been greatest among 55 to 64-year-olds, who have historically been more cautious, with 63% saying they are happy with the amount of data they share today, compared with 47% in 2012.

The survey report notes that 88% of respondents cited transparency as one of the keys to further increasing trust in how their data is collected and used.

“Our research shows that consumer attitudes are already changing in a way that makes us optimistic,” said Chris Combemale, group CEO of the DMA. “GDPR establishes a level of transparency and honesty about how data is collected and used, which will be essential to continuing to build and maintain trust between businesses and consumers.”

This trust, according to the DMA, as well as to UK information commissioner Elizabeth Denham, is central to data exchange, and is showing the value to both the business looking to prosper and the customer looking to benefit.

The DMA/Acxiom research reveals an important change in attitude is under way, with more than half (51%) of the respondents viewing data as essential to the smooth running of the modern economy, up sharply from 38% in 2012.

Relatively unconcerned

This is mirrored by the continued rise of consumers who appear relatively unconcerned about matters of data privacy and the exchange of data, which has increased from 16% to 25% this year. Younger respondents were even more relaxed about privacy and readier to share data, with 38% falling into this “unconcerned” group.

Jed Mole, European marketing director at Acxiom, said the research shows a clear trend towards greater real-life acceptance of data exchange as part and parcel of everyday life.

“This is good news for marketers who believe in data ethics and adopt the highest standards in data-driven marketing,” he said. “Using data to drive more transparent value, treating people as individuals while giving them control, especially as we enter the GDPR era, is key to achieving the win-win that businesses and consumers really want.”

The proportion of people who are “data pragmatists” has remained broadly static at about half of the UK population, with these consumers willing to exchange their personal information for clear benefit or enhancement of services.

The survey found greater willingness among young respondents to view data as a tradeable asset that they can use to negotiate better prices and offers. More than six out of ten in the 18-24 age group viewed their data in this way, compared with 56% among all respondents.

Although the time left to prepare is limited, Orrick’s Stone said businesses can improve their readiness significantly by ensuring that the entire organisation coalesces around an agreed compliance plan and has a strong and empowered GDPR working group to implement that plan. 

“Respecting privacy rights is a team sport and complying with the regulation is everyone’s responsibility,” he said. “Once that is realised, organisations have a much higher chance of reaching the finish line in a medal-winning position before the compliance deadline.”

These next few months are critical and are likely to be a mad rush for a number of organisations, said Stone. “But, amidst the chaos, it is important to note that GDPR, while a legal requirement, should help to increase clarity, respect and trust around personal information for customers, employees and shareholders.”

For any organisations that still need help, Stone said Orrick has built an automated GDPR tool that enables companies to assess their compliance readiness.

Read more on Privacy and data protection