Since the GDPR will take effect on May 25, 2018, there is less and less time to prepare for it. Companies must ensure they are compliant before that date; there is no grace period after the GDPR becomes implemented. The GDPR does not require implementation by the Member States; it enters into force at the same time throughout the EU.
They surveyed 223 respondents, mostly multinational organizations in order to understand how well the companies are preparing for the GDPR. Of those 223, 93 percent operate in the EU, with a mix of data controllers and processors.
Organizations mostly report that breach notification requirements and the rules and requirements for processing contracts that are placed upon processors present the highest burden. Privacy programme management will also require high investment and major changes. Senior management was also highly concerned about a stiffer sanction regime.
Of issue is that only one fifth of companies felt ready for the implementation of GDPR privacy programme requirements. Only a quarter considered themselves to be fully compliant. The rate is even lower for compliance with international data transfer requirements.
Half of the companies began to discuss the allocation of additional resources for ensuring GDPR compliance. 30 percent claimed they would not allocate anything.
Most organizations still employ manual processes for data classification, inventories, breach management and data protection impact assessments (DPIAs). Avepoint claim most of these processes can be automated.
The most unclear points for companies are the question of legitimate interest (25 %), privacy by design (23 %) and PIA and risk (21 %).
The determination of a main establishment should not be a problem, since over three quarters report that they can do it and be fully compliant.
The GDPR introduces higher thresholds for consent and most companies are not ready for that. 9 out of 10 companies use consent for data processing, but only one third of all organizations were compliant with the GDPR requirements. This is because they often (78%) wouldn’t obtain separate consent for each processing activity, and most lack the mechanisms to ascertain the validity of consent.
About a half will continue to rely on legitimate interest as grounds for processing as they do today, but 31.3% will increasingly begin relying on it.
About 55% of companies conduct DPIAs for high-risk operations, but only a quarter automate the process. Two-thirds still employ spreadsheets or Word documents.
Great news is that over 80 percent of all companies employ privacy by design measures at least occasionally. 40 percent do it in majority of cases.
The Relationship Between Controllers and Processors
The processors are also subject to the GDPR and contractual provisions between the two parties are not the only requirements anymore. Furthermore, contracts must contain certain provisions, as prescribed by the GDPR.
Therefore, most contracts will need to be renegotiated. Unfortunately, 40 percent didn’t even start reviewing and renegotiating these contracts.
Most processors claim they will be affected the most by the requirement to document all data processing requirements and comply with the terms of the revised agreements. Cross-border data transfers are also a point of contention.
Companies welcome the fact that the GDPR will enable more international data transfer mechanisms. The most popular one, EU Model Clauses, will continue to be used primarily, although Binding Corporate Rules are set to see a spike – from 13 to up to 28 percent.
As for the new mechanisms, 10 to 15 percent aim to use ad hoc safeguards. About the same percentage will make use of certification and data protection seals.
Over three-quarters have enacted internal reporting procedures and incident response plan. 63.5 percent have an incident response team. Only a third employ dry run data breach scenarios, or have cyber insurance and PR consultants. Even less (28%) employ forensic experts. We do not doubt that more and more companies will hire PR consultants and insurance as they provide great value in containing the fallout resulting from breaches.
However, the majority of organisations do report breaches, and some do it voluntarily. They work to minimise the likelihood of breaches via internal policies, encryption, staff training and IT security programmes.
Over a half of companies are unsure or do not consider data portability as relevant for their data processing. Less than 10 percent have procedures to facilitate personal data transfer. This will require major improvements.
The obligation to keep records of all data processing activities is a high burden to companies. Little under a half do not keep quality records or do not possess them at all. International data transfers are better recorded.
About a third of all companies tag their sensitive data; doing it by hand is a common occurrence.
The CIPL and Avepoint are expected to publish the next GDPR benchmark study later this year, with perhaps more promising results. We hope that much has changed since May 2016 when this study was conducted. It will be interesting to compare these two datasets and see where and if there has been any progress.
The full report can be downloaded here, and the abridged version here.