Time is running out for UK businesses. By 25th May 2018 every business, charity and organisation needs to be ready for the General Data Protection Regulation (GDPR). Because from that date, EU regulators will start enforcing compliance. Yet a recent survey found that only 11 per cent of companies said their preparations are ‘well underway’ while 61 per cent admitted they had not even started the task of GDPR implementation. There are just 300 days to go.
GDPR compliance requires commitment and action and with only ten months to go the pressure is on to take it very seriously indeed. An estimate by Gartner states that only 50 per cent of companies will be ready by the end of 2018, let alone May. With the power to impose much larger fines, GDPR needs to be taken very seriously indeed. To put it in context, the fines imposed on UK organisations by the Information Commissioner’s Office (ICO) last year totalled £880,500. Under GDPR those fines would be closer to £69 million.
So, why are British companies lagging behind? Perhaps some feel that the challenge and expense of embedding GDPR in their organisation is mitigated by the fact that only a few will be caught by regulators during the early bedding-in period. This may be true to an extent. We are unlikely to see thousands of cases being brought. But it is possible that EU regulators will go for shock and awe tactics in the first few months, imposing bold enforcement actions and large fines on a few transgressors to serve as a lesson to all. No one wants to be made an example of.
In the end, however, it is not fear of punishment but pressure from within that will push GDPR compliance forward. With processors, vendors, data controllers and suppliers all tied in to each other’s compliance, those that do not comply will be dropped in favour of those that do.
To support GDPR readiness, the ICO has produced a range of guidelines to help businesses with the implementation of GDPR. This includes website pages dedicated to the data protection reform legislation, and an updated toolkit for SMEs that includes a checklist to help organisations in their GDPR preparations. The practical realities of assessing your existing level of readiness together with a targeted schedule of actions is best produced in partnership with a specialist information security consultant. In this way, you can prioritise and plan according to your organisation’s unique requirements.
SRM has a wide range of knowledge and practical experience. Our teams are GCHQ approved and GDPR practitioners, working with clients to build robust and cost-effective defences. Because hackers are ingenious and constantly changing their tactics, breaches can and do occur. However, with appropriate defences in place a business would be much better placed when it comes to an ICO investigation. Our consultants are ready to help you understand the risks to your information and to provide the strategic and practical guidance to manage that risk effectively.