50% Of Organisations Unprepared For The GDPR

50% Of Organisations Unprepared For The GDPR

The GDPR Is Coming

The GDPR is coming. It’s everywhere – mainstream news, peppered across social media, and there are webinars and conferences aplenty. And yet one message is clear: many are not ready. Not nearly enough is being done and almost half of organisations that should have their ducks in a row have yet to make a start.

But the GDPR is not new news. It came into force in 2016 and, as of today, two thirds of the grace period have passed. Yet it’s still not uncommon for data privacy blogs, presentations and the like to begin with: “What is the GDPR?”.

Many remain stuck in first gear. Some are still deliberating whether the new data protection law will even work in the UK. Supposedly the ICO’s guidance on consent has been inconclusive or is insufficient. This is not a view I hold with, quite the contrary. But worryingly, it prevails in some quarters. Nonetheless, the countdown is on and there is no pause button. The GDPR is coming.

Big names in technology, social media, and internet search are grappling with the reality of eye watering fines. Debates about the fairness of such things aside, private and public organisations seeking to continue to operate in the EU have no choice but to accept the parameters of the market. The General Data Protection Regulation applies equally to the UK, and this country’s own ICO most certainly holds the view that it will be central to our altered privacy landscape, and remain so far into the future.

The GDPR is often described as an upgrade to the disparity of the variety of data protection minimums created by the old Data Protection Directive it replaces. The GDPR will not grant us a second grace period. UK companies won’t be in a position to ask the ICO to be more lenient than the supervisory authorities in other countries. Not just because it will universally apply to all organisations, but also because it deals with the processing of data belonging to individuals. This is not a legal opinion, just simple logic. The rights of EU individuals will be commonly protected by the GDPR. There cannot be a ‘GDPR-light’ for one country or member state and differing rules for others.

The one stop shop principle of the GDPR was the result of an early objective to deal with the inconsistencies of the preceding directive. Different supervisory authority approaches across jurisdictions have burdened organisations operating in multiple states with varying data protection priorities. The General Data Protection Regulation is expected to remove much of the administrative burden, delivering a single set of rules that can be applied by all.

In this dawning age of greater protection for the rights and privacy of individuals, EU customers will have higher expectations around how businesses should meet – and communicate, their obligations to them. Old and young, discerning and trend-following, everyone will become savvy about how their data should be protected and be more aware of their rights. The GDPR creates an opportunity for businesses to strengthen their brand by building trust through respect and protection of personal data.

Likely new tools and technologies will become available to help everyone. It’s too early to predict whether customers will vote with their feet by withdrawing their custom, or how well organisations will fare in the long-term protecting their customers personal data. However, we can be certain that big data breaches will continue to attract considerable media attention. Data compromises are increasingly seen as ‘when, not if’ occurrences. Hopefully the “Privacy by Design and Default” principle of the regulation will prove to be a good first step toward bucking this concerning trend.

The GDPR is coming. Customers will expect their data to be protected. Not everyone will be ready on day one and some will risk a wait-and-see approach. One organisation has to be the first, we trust it won’t be yours. Those trailing behind might find it’s cold outside Europe’s digital single market.

If you would like Perspective Risk’s assistance with the GDPR, we have a wealth of knowledge and resources available to help you. Please click here to contact us.

Related Content


PRCON 2011

Whilst we are ardent supporters of maintaining a healthy balance between work and life and well awar...


Welcome to the Perspective Risk Blog

The Perspective Risk blog has been created to provide information security resources to the penetrat...