momius - stock.adobe.com

Nearly a third of organisations still not GDPR ready

As the UK and other states implement the EU’s GDPR, many organisations admit they are still not fully compliant, but most claim to be able to respond to data subject access requests

Some 28% of organisations do not feel completely compliant with the EU’s General Data Protection Regulation (GDPR), a survey has revealed. 

The UK was among the first countries to introduce GDPR-aligned data protection legislation, so any organisations that are not fully GDPR-compliant are likely to be not fully compliant with the UK Data Protection Act 2018.

Almost a fifth of respondents are not confident they will pass their first GDPR audit, according to the survey by security firm Imperva conducted among attendees of Infosecurity Europe in London, almost two weeks after the GDPR compliance deadline on 25 May.

Less than half of the respondents said they were very confident they would pass the audit and just over one-third said they were somewhat confident.

“The deadline has now come and gone, yet the study shows that many organisations aren’t sure they have achieved GDPR compliance,” said Terry Ray, chief technology officer of Imperva.

“Any company that put GDPR off until the last minute now realises compliance cannot be achieved overnight. It does not surprise me that many organisations feel unsure about the idea of a GDPR audit. The truth is many would fail.”

To assess organisations’ ability to respond to requests by data subjects exercising personal data rights under the GDPR, the survey asked if respondents knew where all personal data resided on their systems.

Read more about GDPR

While, more than a third of respondents said they did know the location of the data, more than half said they would need an extra three months to get their house in order.

Conversely, almost 90% said they could easily respond to requests from individuals asking to disclose the information they hold on them, with 57% saying their organisation had already received such a request.

However, data breach notification is another key area that needs attention, according to Stewart Room, data protection lead at PwC in the UK and globally.

The first month after the GDPR deadline revealed the extent to which organisations are not properly prepared for data breach disclosure, with some organisations lacking procedures and processes, he told Computer Weekly.

Despite having a two-year grace period until 25 May 2018 to prepare for the GDPR, Room said many organisations did not appear to have matured their data breach notification processes over that time.

Findings not surprising

Tony Richards, group CISO at Falanx Group, said the findings of the Imperva survey were not surprising as an indication of the state of affairs regarding GDPR compliance.

“Organisations do seem fairly polarised on GDPR, with many businesses, especially SMEs [small to medium-sized enterprises] either ignoring it, or buying some basic policy packages peddled by ‘GDPR experts’ and thinking that they are covered.

“On the other hand, you have organisations that are either using qualified consultants or investing internally to ensure that they are compliant.

“I think it boils down to whether the organisation, culturally, is customer-centric and therefore they see value in protecting their customers’ privacy, or if they see it as a compliance issue with the bare minimum to be done, if at all.”

In addition to the UK, other first movers to enshrine GDPR principles in national data protection legislation include France, Spain, Romania and Hungary, according to a report by Privacy Laws & Business (PL&B).

France’s data protection law was adopted on 20 June and published on 21 June, Romania’s legislative proposal for implementing the GDPR was adopted on 27 June and entered into force on 31 July, and on 17 July, Hungary’s Parliament adopted a national law supplementing the GDPR. It has now been published and will enter into force after one month.

Urgent regulation

In Spain, however, due to a change of government, the new data protection law is still on hold. In the first week of August, the government approved an urgent regulation appointing Spain’s national data protection authority (DPA) as its representative on the European Data Protection Board.

The regulation also provides a transitory regime for enforcement proceedings currently underway and data processing agreements currently in force.

The European Commission (EC) has begun sending warning letters to member states deemed to be moving too slowly to GDPR implementation, according to PL&B.

Ultimately, the EC may refer member states to the Court of Justice of the EU requesting that financial penalties be applied, the report said.

Read more on Privacy and data protection