GDPR – Why Companies Are Still Not 100% Compliant
One-third of businesses are still failing to meet GDPR compliance according to new research by RSM. Despite the regulation being in full effect for well over a year, only 57 percent are confident in their businesses’ compliance and another thirteen percent are uncertain either way.
With GDPR now erased from the priority list for a third of survey respondents, middle market businesses are feeling GDPR fatigue the hardest. Many of these mid-sized businesses admitted to simply “giving up” with the regulation’s scope both overwhelming and too-far reaching. These businesses are now left with compliance programs riddled with gaps.
For the two-thirds who continue working towards GDPR compliance, two main areas emerged as the focus. Firstly, knowing what data they are currently collecting and the purpose of it being collected, and secondly bringing on board a specific Data Protection Officer as per a GDPR requirement.
Of those business operating outside of GDPR guidelines, 35 percent admitted to sending marketing emails without consent, 31 percent continue to store data without explicit consent and 27 percent admit their data remains unsecure. Opt-out processes which fail to align with GDPR and inaccessible privacy-friendly options make up the top areas leaving these businesses operating beyond GDPR compliance.
Confusion may be responsible for ongoing compliance gaps with data security practices such as encryption an uncertainty according to 716 business leaders surveyed by GDPR.EU. They found that whilst two-thirds were confident their businesses used of end-to-end encrypted emails, when queried which service their business used for this encryption only nine percent could name their service.
Considering the above, GDPR’s implementation has surprisingly coincided with improved cyber hygiene. RSM found 62 percent of businesses increased their cyber security investment with 73 percent believing GDPR to have positively influenced their data management practices. Shifting perspective, 21 percent continue to operate without any cyber security practices in place.
This cyber security improvement could be arguably linked with cyber extortion, an unpredicted and unintended GDPR side effect. This growing cybercrime trend sees these criminals targeting companies who are non-compliant. With protentional GDPR fines up to either twenty million Euros or four percent of a company’s annual turnover, cybercriminals are extorting these non-compliant businesses with the threat of reporting them to European Data Protection Agencies.
With data breaches posing a huge financial and reputational threat, GDPR has been a welcome wake-up call for internal data security practices. Whilst GDPR does not explicitly mandate specific data security policies, it does however bring an obligation for controls that are “appropriate” when compared with a company’s risk environment.
The coming California Consumer Privacy Act (CCPA) will be the next big regulation to impact data security practices. This regulation differs from GDPR, rather than explicitly referencing data security or making specific requirements to secure personal data, it states a requirement to “implement and maintain reasonable security procedures and practices”.
Whether CCPA will be a similar wakeup call for Californian businesses remains to be seen. However, individuals can be assured data security has been shifted into the business spotlight. As one small business owner told GDPR.EU, “I would want my data protected, so I do the same for my clients”. This view is the consensus of many businesses currently reshaping their data security practices even if their compliance function is not receiving the same attention.