The General Data Protection Regulation (GDPR) comes into force on 25th May, 2018, and this will have significant and wide-ranging impacts on organisations, including fines of up to 4% of global turnover or €20 million (whichever is greater) in the case of a breach. With the countdown to the compliance deadline well underway, organisations are currently moving from planning to implementing their GDPR readiness programmes.
In February 2018, we asked IoD members to take a GDPR preparedness survey, which aimed to collect information on the preparations, experiences and challenges faced by business leaders in Ireland in respect of compliance with the GDPR.
Drawing from the survey findings, it appears that some respondents still have limited understanding of the GDPR. 25% of respondents said their understanding of the regulation is either fair or poor.
While 75% of respondents believe their understanding of the GDPR is either excellent, very good or good, it’s concerning that, at this late stage, a quarter of business leaders still do not appear to have an understanding of the regulation.
Significantly, 27% of respondents say that their organisation is either slightly or not at all prepared for the GDPR.
Most organisations have taken steps to prepare for the GDPR (73% say their organisation is either very prepared or moderately prepared) but, with just three months to go until the compliance deadline, the finding that over a quarter of organisations are not adequately prepared is worrying.
One reason for lack of preparedness may be that 32% of the respondents say that their organisations only began preparing for the GDPR three months ago or less.
A further 21% of respondents say their organisation started preparing for the GDPR 3 to 6 months ago and 30% say 6 to 12 months ago. Just 18% started preparations a year ago or before.
While many organisations may be trying to catch up with the preparations process, most have external support. Just under half (47%) say that their organisations have already recruited external advisors to assist with preparations in respect to the GDPR. 29% have not and 25% say that this is managed in-house.
When asked whether senior management has been briefed on the GDPR, 87% of respondents say they have been briefed and 11% say they have not. Furthermore, on GDPR awareness, 84% of respondents say that the GDPR is on the board’s agenda. These findings are positive as regular discussion regarding the GDPR at board level is vital as it impacts all aspects of the business and the board is ultimately accountable for compliance.
On training , more than half (52%) of all relevant staff have not received GDPR awareness training. 42% say they have received training and 4% say the question is not applicable. It should be considered that Article 39 of the GDPR specifically outlines that staff “awareness raising” and “training” are required.
In answer to the question, ‘if your organisation is required to appoint a data protection officer (DPO) under the terms of the GDPR, has your organisation done so yet?’ 40% say they have, 28% say no, 8% don’t know and 24% say the question is not applicable to them.
GDPR Compliance and Concerns
Results show that senior management (50%) is responsible for monitoring data protection in most organisations. The next highest percentage of respondents say that the Data Protection Officer (23%) is responsible for monitoring data protection. Other departments that take responsibility for monitoring data protection are the legal department (5%), the IT department (4%) and the marketing department (2%). 6% say that all users of data within the workplace are responsible and 2% don’t know.
Respondents were asked about their main concerns about the GDPR. Their top three concerns are:
- Ensuring that data is treated appropriately (collecting, protecting, managing, destroying and sharing data) (62%)
- Ensuring that the organisation will be GDPR compliant by 25th May 2018 (61%)
- Ensuring that all third parties contracts who handle their organisation’s data are fully compliant (43%).
The lesser concerns that are noted by respondents are;
- The cost of ensuring full compliance (including staff training) (34%)
- Ensuring ongoing compliance after May 2018 (37%) and;
- Identification of, and reporting a data breach within 72 hours (17%).
In terms of priorities, 89% of respondents say that the GDPR is a high or moderate priority for their organisations in 2018. The top three aspects of the GDPR that are considered priorities are;
- Ensuring that the organisation will be GDPR compliant by 25th May 2018 (76%) and;
- Appropriate treatment of data (collecting, protecting, managing, sharing and destroying data) (71%).
- Ensuring sufficient financial and human resources are available to meet full compliance (eg including staff training) (37%)
Other key priorities noted by respondents are:
- Ensuring that all external parties who handle our data are fully compliant (36%)
- Obtaining customers’ consent for the processing of their personal data (30%)
- Ensuring continuous review of data protection measures (28%)
- Impact on marketing and analytics as a result of non-retention of historical data (12%)
- Appointing a Data Protection Officer (if required) (9%)
The top two priorities are very similar to the previously reported top two concerns; ensuring that data is treated appropriately and ensuring that the organisation will be GDPR compliant by 25th May 2018. It seems that these aspects of the GDPR are top of mind for business leaders.
In terms of investment, the majority (38%) of respondents are not sure how much money their organisation plans to spend on the implementation of the GDPR. 15% say their organisation plans to spend up to €5,000 and 13% say between €5,000 and €10,000, another 13% say between €11,000 and €50,000, 17% say their organisation plans to spend from €51,000 to €101,000 or more on the implementation of the GDPR.
About the Research
In February 2018, the IoD carried out a quantitative online survey of business leaders in Ireland. The questions were a mix of open-ended, closed-ended and multiple-choice. Some multiple-choice questions allowed more than one answer. The representative sample comprised a cross section of businesses by role and industry. Total sample size: N=254, Fieldwork dates: 5th-15th February 2018.
- Principal organisation: The private sector had the highest level of representation at 36%. 15% were from multinational organisations and some 12% were from the State or semi-State sector and 10% were from SMEs. The remainder were from the not-for-profit sector (8%), PLCs (8%) and professional services (7%).
- Role: Chief executives and managing directors are the highest represented cohort of respondents at 36%, with senior directors/head of function accounting for 22% and executive directors making up 19% of those surveyed. Chairpersons made up 10% of respondents, non-executive directors made up 9% while company secretaries formed a small proportion (1%).
We are very grateful to all the survey participants for their time and insights. Read our press release on the survey findings