GDPR preparedness mixed with a month to go
Written by Peter Walker
With only a month to go until the General Data Protection Regulation (GDPR) comes into force across the UK, experts have warned that many companies still have work to do.
Under the GDPR, all companies that collect and process data from European Union citizens face fines of up to €20 million, or 4 per cent of global revenues; whichever is greater.
While a survey of 1,000 senior IT officials found that three quarters of UK firms are confident they will comply with GDPR, a report published earlier this year by the Department for Digital, Culture, Media and Sport revealed that only 38 per cent of UK businesses said they had heard of the regulation – and among those that are aware of it, only just over a quarter have made any changes.
Paul Bowen, head of financial services for UK and Ireland at digital and cloud services firm Avanade, said that many in the financial services sector remain underprepared.
“My concern is that where banks are in doubt about how open they should be with customer data, they will take the safe course of action and choose protection over access. This is the worst approach possible, as it would likely harm their ability to build the new digital services and partner ecosystems required to compete against FinTech companies.”
He suggested that banks should start focusing on the opportunities of these regulations rather than worrying only about the threats, as they could be a catalyst to rebuild data models and make them better suited to the emerging digital world.
“I suspect that firms that have shown a commitment to implementation may be shown a degree of leniency initially, relative to the full weight of remedy at the regulators disposal, should there be problems,” added Bowen.
Jon Szehofner, co-founder of law firm Gordon Dadds’ financial markets practice, agreed that so long as firms demonstrate a deliberate effort and plan to comply, they are unlikely to feel the full force of the Information Commissioner’s Office.
“I’d question whether the highest fines will be imposed unless there are any significant data breaches, but on the flipside, the possibility of such large fines has enabled people to get buy in from board level and investment for GDPR compliance,” he commented. “There’s clearly room for interpretation of the regulatory text - plenty of grey areas - so I’ll be interested to see some legal precedent set in the months after the regulation comes in.”
Ben Young, general counsel at e-commerce software provider Elastic Path, said that even at this late stage, there’s still time left to document any efforts that have gone into compliance activities, current and future planning, or administrative steps such as appointing data protection officers.
“Post-deadline, there should be a shift from documenting current and future planning into a focus on ongoing program operation and monitoring. Don’t forget the cultural piece either: companies should continue to be on the lookout for ways to demonstrate changes in ‘attitude’ and show how privacy is considered as part of new company initiatives,” he said.
The new rules overhaul how organisations store, secure and manage their customers’ data. Everyone will have the right to know what information is held about them, the right for that data to be removed, the right to data portability, and the right to be informed if there is a data breach. This data is known as Personally Identifiable Information (PII).
Ian Kilpatrick, executive vice president of cyber security for Nuvias Group, explained that while electronic data storage within a structured database should be relatively easy to organise, the larger problem is unstructured data and knowing where PII is stored.
“Once you know where your un-structured sensitive files are stored, move them to a central repository from which you can defend access,” he stated, adding that processes and procedures must be set up to respond within the prescribed 30 days to Data Subject Access Requests.
Michiel Jorna, global director for industry solutions at Software AG, said this is a daunting time for organisations yet to fulfil their new obligations, so suggested turning to robotic process automation to help stay complaint.
“This technology makes available a new ‘workforce’ of software robots who can assist in the automation of repetitive tasks and processes. For organisations lagging behind data governance, the automation of otherwise manual data entry is hugely beneficial and time saving,” he explained.
“With GDPR right around the corner, all organisations will be expected to manage risk combined with the high pressure of data overload, clearly there is no time to waste. Emerging technologies must be embraced to prepare for the 25th May.”