Organisations are “sleepwalking towards a GDPR abyss”, a new report has warned, with 60 per cent of companies saying they are unprepared for the EU’s General Data Protection Regulation with less than four months until their implementation.
Under the legislation, which will apply to UK organisations from 25 May 2018 despite Brexit, companies will be subject to new rules around the collection and processing of individuals’ data, and could face fines of up to £17m, or 4 per cent of their annual turnover, for failing to comply.
Despite this, a new report from software technology firm Senzing has shown that both UK and EU businesses have been slow to get their houses in order ahead of the introduction of the new rules. Three in five (60 per cent) organisations said they were not yet ‘GDPR ready’, while a quarter (24 per cent) were deemed ‘GDPR at risk’, suggesting that companies could face tens of billions in fines.
“Many businesses appear to be sleepwalking towards a GDPR abyss,” CEO and founder of Senzing Jeff Jonas said. “The fines that can be levied for non-compliance will be potentially terminal to some organisations, and even the largest companies – and certainly their shareholders – will feel a significant impact. A huge number of companies simply don’t understand the dangers of non-compliance, with smaller firms apparently particularly unaware.”
While large parts of the GDPR concern consent to handle and process customer and marketing data, one of the most significant areas of confusion is around employee data. Organisations have been warned that they may not be able to rely on historic clauses in employment contracts as consent to process employee information, and may be required to justify why they are handling certain employee data.
There are also implications for recruiters using automated processes, as they will have to notify candidates of how decisions are made if they are not subject to human intervention.
Ann Bevitt, partner at law firm Cooley, said a reported lack of preparation for the GDPR could be the result of smaller businesses that have been outside previous EU directives on data protection. “There are a lot of smaller companies and tech start-ups that are not caught by existing EU law, but will be caught by the GDPR,” she told People Management.
“Within that population, the vast majority are just waking up to it, purely because they did not anticipate that the GDPR would apply to them. Those small companies will also have to grapple with a steeper learning curve than larger organisations, because they do not have that base of directive compliance to build on, so will have to get to grips with the terminology and legal bases.”
According to the report, companies could be forced to spend eight hours a day, or 172 hours a month, on data searches after the implementation of the GDPR, with more than one in three (39 per cent) UK-based directors saying they were concerned about their ability to be compliant. More than one in 10 (13 per cent) UK companies said they were not confident they knew where their data was housed, while 12 per cent reported that they had not accounted for all databases.
Bevitt advised HR professionals to take initial steps to ensure any UK and EU-based employees were aware of their rights under the new legislation, and that employment contracts were up to speed with the regulation.
“If an organisation has any GDPR-relevant employees, they need to ensure they are given proper notice about what they do with their data, and that any existing data notices are updated to cover all the individual rights employees will have under the GDPR, such as the ‘right to be forgotten’,” she said.
However, the most important step for companies struggling to achieve GDPR compliance by the end of May is to ensure they can demonstrate clear efforts to understand the legislation, Graham Hansen, associate at HRC Law, told People Management.
“It could be that a lot of businesses are not fully compliant by the deadline, but there is a difference between businesses that are not fully compliant but are showing they are taking steps towards compliance, and those that are ignoring it,” he said.
“The ICO has issued GDPR guidance, so may enforce more collaborative actions to help a business learn about the changes rather than punishing organisations straight away – however, they will possess enforcing actions so, if there is a breach or data is not being processed as it should be, those organisations that have ignored it altogether could face consequences.”