Many organisations feel unprepared for today’s General Data Protection Regulation (GDPR) deadline, various polls suggest, but experts are reassuring HR professionals that they still have time to put measures in place.
A recent report by Crowd Research Partners found that 60 per cent of businesses affected by the GDPR felt they were unable to get everything prepared for today.
Meanwhile, a study released earlier this month by IBM revealed that only a third (36 per cent) of more than 1,500 business leaders surveyed believed they would be fully compliant by today, although 84 per cent thought being able to prove they complied with the GDPR would differentiate their company, and 76 per cent felt the regulations would build trust between them and their customers.
A report by the Ponemon Institute, which was published last month and examined more than 1,000 companies in the US and European Union, found that two in five (40 per cent) thought they would not be entirely compliant until after 25 May, while a further 8 per cent said they did not know when they would be compliant.
“Ideally, HR professionals should have revisited their data protection practices detailed in employment contracts, staff handbooks and company policies, and ensured that the business is GDPR-ready and compliant,” Keely Rushmore, senior associate at SA Law, told People Management. “However, it’s not too late and taking the right steps now is essential to avoid more confusion and, at worst, a hefty fine.”
In particular, Rushmore recommended that HR professionals who haven’t already audited their employee data do so now and delete any information they deem no longer necessary.
"Most HR professionals and businesses feel unprepared, so don’t feel you are worrying alone,” added Mel Stancliffe, partner in the employment team at Irwin Mitchell. “The new law is a substantial change from the way businesses store and use data and we all have to up our game”
Stancliffe also suggested that HR professionals speak with others in their organisation, particularly the IT department, to formulate an action plan should there be a breach, noting: “It won’t happen overnight, but being able to demonstrate a willingness and plan, even if the processes follows, is better than no start at all.”
Meanwhile, Charles Cotton, performance and reward adviser at the CIPD, said: “For HR departments that don’t think their organisation will be ready, HR needs to do analysis of what’s lacking and create an action plan to rectify it. Even in organisations that are ready for the GDPR, HR needs to monitor that staff are still aware of what’s required through regular reviews and the employee development process.”
The regulators appear to grasp the vast amount of work organisations are having to undertake. Information commissioner Elizabeth Denham blogged earlier this week that she was aware that the work towards complying would extend long past Friday.
“It’s an evolutionary process for organisations – no business, industry sector or technology stands still,” she wrote. “Organisations must continue to identify and address emerging privacy and security risks in the weeks, months and years beyond 2018.”
Earlier this month, a survey by Reuters revealed that some regulators might be unprepared themselves, with 17 of the 24 authorities responding noting that they either lacked adequate funding or powers to properly enforce the new law.
The GDPR revamps existing data laws in several ways, including requiring consent to process data to be given more explicitly, shortening the reporting period for data breaches to 72 hours and tightening the rules around subject access requests. It will impact on the way businesses handle data related to recruitment activities, and the information they store relating to employees.
The GDPR also creates a fine of 4 per cent of global annual turnover or €20m – whichever is greater – for those who fall foul of the law.
But, despite the barrage of emails flooding into inboxes, a survey of 2,000 UK adults from the 21 to 23 May by Top10VPN found that almost half (44 per cent) had not heard of the GDPR.