The State of GDPR Compliance After a Year, Where we at?
One year has gone by since GDPR came into force. In that time, most companies have learned what GDPR is about, but a recent survey suggests many still find it hard in practice. Research from Crown Records Management found over 75% of organisations are still struggling with compliance. Worse still, some businesses may have even stalled their efforts towards it.
Many companies have a veneer of GDPR compliance, with opt-in tick boxes on their websites to make sure consent for data processing is legal. But behind the scenes, data management falls short. A vast number still do not have the processes in place to track data flow or handle SARs (subject access requests) in good time.
A little over a year ago, companies in the EU or with EU customers were preparing for GDPR. At least, there was some effort towards complying with it. To motivate them, there was talk about fines of €10 million or 2% of annual revenue. That was the big stick waved about by the media, at least.
The big stick isn’t fictional. Google suffered a €50 million fine only recently for breach of GDPR in France. But smaller companies expect leniency in the event of a violation, and that makes them complacent. Should they be complacent? Well, no.
As time goes on, GDPR enforcers like the ICO in the UK or CNIL in France are likely to show less mercy to smaller businesses. It’s unwise to let non-compliance stagnate in the hope that a company is small enough to fly under the radar. Businesses of all sizes should take positive steps now to sort out data disarray. But how?
One of the problems small to mid-sized companies face is lack of resources when it comes to GDPR compliance. They can’t afford thousands of pounds for consultants or dedicated GDPR staff, and the cost of installing the necessary data-processing systems is off-putting. Not only that, but GDPR seems impenetrable as a subject—unknowable in its entirety.
Although the Internet is full of GDPR articles, videos, and advice, for many, this information overload only muddies the waters. Some of it conflicts. Naturally, the advice isn’t always selfless either. Consultants and lawyers make a lot of money from GDPR, so they won’t understate the importance of compliance.
Coping with SARs
One GDPR aspect that companies dread, because they’re still unprepared for it, is SARs (subject access requests). Individuals can request confirmation that their data is being processed, copies of their personal data and other information.
The “other information” that companies must provide includes the existence of individuals’ rights to request rectification, erasure, or objection to data processing. Some of this info should be included in a privacy notice. Thus, privacy notices are a crucial part of compliance.
Employees, too, have the same right under GDPR to know what personal data their employer stores. So, the “threat” of non-compliance can come from several directions. Companies must respond to SARs within a calendar month, regardless of origin.
With all the above said, why is it so challenging for companies to deal with SARs? The main reason is lack of control over data. Many companies handle vast amounts of data, much of which gets split into multiple data silos for different departments and locations.
It’s a huge IT challenge to deal with data in a structured way, keep it secure and avoid it leaving the network via various channels and devices. This complexity is one of the reasons companies call in experts to get their data under control, but not all businesses can afford outside help.
Data mapping is the process of locating and classifying all data within a business. This is how you get data sprawl under control. It’s also the answer to responding to SARs quickly and efficiently. Only by knowing where all data resides can a company meet the demands of GDPR.
Of course, talking about data mapping and implementing it are two different things. Where does one start? It’s rather like tidying a house stuffed to the brim in every room with hoarded possessions. It can be daunting. For small to mid-sized companies, GDPR software offer an affordable solution.
A good GDPR software has all the expertise of a living consultant but avoids the inherent cost. It steers many companies steadily towards compliance within a few weeks. And, importantly, those companies can demonstrate a path towards compliance. You can be sure action is more favourable to the ICO than apathy.
Summary of Concerns
After a year of GDPR, the chief concerns of companies over non-compliance can be broadly split into three parts.
- Data storage methods: a problem that gets worse in the modern era lies in controlling the endpoints of data storage. All data silos must be secure. Cloud storage needs managing under GDPR. Strict contracts must exist between controllers and processors. A system limiting removal of personal data from networks via mobile phones and other devices is essential. Employees must understand their responsibilities, too, under GDPR.
- Data retrieval: it’s vital companies can quickly access data to respond to SARs and meet the demands of data subjects. For example, if an individual exercises his or her right to data erasure, a company can only comply if it knows where to find said data. An efficient, easy-to-use retrieval system is necessary.
- Data protection: data mapping is part of the solution to data protection. Other measures are possible like data masking, data access control, data encryption, and security policies to protect data at every level (e.g. use of data for production, reporting, analytical or training purposes).
What Will Change?
Many of the regulations that exist now under GDPR existed before under the EU Data Protection Directive. The change in law surrounding consent forms forced all companies to alter the front end of their business so they were not overtly non-compliant. But many still do not comply behind closed doors. Will this change?
Companies of all stripes must start complying if GDPR enforcers become less lenient over time. And that’s likely. Businesses have to be able to prove compliance at short notice. There must be a clear path towards it. It’s not something they can summon in a couple of hours or pay lip service to.
One positive thing about GDPR is the business opportunity it creates. Compliance is a saleable product that makes firms competitive. So, if they get into a constructive GDPR mindset, it’s better for them and for customers. These benefits may eventually alter the state of play. Data protection could become trendy.
If your company still struggles with GDPR, compliance software is a possible solution. Big companies may need a more elaborate answer, but GDPR365 software leads many business owners towards peace of mind. Act now!