Organizations need to do more work to ensure compliance with the European Union's General Data Protection Regulations (GDPR) which are due to come into force in May 2018. While organizations are largely aware of their upcoming obligations, levels of maturity to meet the new standards are still low. Overall organizations are only complaint with less than 40% of the principles laid out in the GDPR.
DLA Piper's Global Data Privacy Snapshot 2017 notes that some industries are progressing towards compliance better than others. The hospitality and banking sectors are ahead of the rest with 48% and 43% compliance respectively, compared to the average of around 37%. Healthcare and manufacturing were at the bottom end of the scale with 34% and 35% compliance.
Data breaches are already the second greatest concern for business continuity professionals according to the latest Horizon Scan Report published by the Business Continuity Institute. Unless organizations become compliant by the time GDPR comes into force then a breach could become even more disruptive to organizations.
Patrick Van Eecke, Partner and Global Co-Chair of DLA Piper's Data Protection practice, said: "The responses show that many organizations still have work to do on their data protection procedures. Any organizations operating in Europe will need to see major improvements in their score by May 2018 if they are to avoid potentially heavy financial penalties under the GDPR, not to mention serious reputational damage as people become more and more aware of their rights in this area.
"With more and more organizations putting data at centre stage, data protection will become an increasingly prominent issue. It is vital that organizations invest now in the strategy and processes needed to help them to meet their obligations."
Jim Halpert, the US Co-Chair of DLA Piper's Global Data Protection practice, said: "As privacy requirements, such as privacy by design, data portability and extensively documenting a privacy program, become more complex, compliance demands significant operational work that takes time. In this sense, the results are not surprising. However, the time step up compliance efforts is this year, not next.”
The GDPR will apply to processing carried out by organizations operating within the EU and to organisations outside the EU that offer goods or services to individuals in the EU. The UK government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR. Organizations failing to comply with the GDPR after its implementation in May 2018 could face fines as high as 4% of global annual turnover.