According to a recent survey conducted by Deloitte, only 30% of organisations are have been responding to customer requests regarding their personal data within the GDPR timeframe.
What is GDPR?
The General Data Protection Regulation (GDPR) came into effect in May of this year. A measure put in place to modernise previous data protection directives from the 1990s, GDPR aims to keep pace with rapid technological changes when it comes to protecting customer information. Furthermore, GDPR was implemented to set in a place a more consistent set of guidelines across Europe.
Although GDPR regulations have been more effectively applied to technological advancements, it took more than four years of negotiation and discussion before GDPR guidelines were decided upon. This highlights how, even though steps have been taken, uptake is still too slow when compared to the innovation of the technology sector, and the potential misuse and monopolisation of data.
Each European country had the option to alter the laws slightly according to their own jurisdictions. In the UK, the Data Protection Act 2018 was initially greeted with some controversy since guidelines were amended in this country to protect cyber-security researchers.
These guidelines protect the consumer by allowing them easier access to what data a company has access to, as well as introducing steeper fines to organisations who go against regulations. This is overseen and implemented by the Information Commissioner’s Office (ICO). Companies must inform the ICO no later than 72 hours after any form of breach occurs where data they have stored has been accessed.
Businesses were allowed from May 2016 to May 2018 to prepare for and implement new GDPR measures, and so the question remains: why are businesses not fully adhering to the GDPR timeframe?
Is it the Brexit effect?
Post-Brexit changes should not have an overwhelming effect on GDPR guidelines, this is largely due to the contingencies each individual European country has been allowed to make so the laws most effectively work.
The two prior years businesses have had to fully prepare for GDPR have meant that businesses had the time to source other effective ways in which to gather the relevant information they need to conduct business, without breaching a customer’s right to privacy.
An example of a data breach story that made the headlines would be Facebook’s admission that 50 million ‘access tokens’ for accounts had been taken by unknown hackers. This is the kind of eventuality that GDPR regulations hopes to reduce through the introduction of stricter measures and hefty fines.
Survey conducted by Deloitte
“Six months in, what is clear is that some organisations are still grappling with the implementation of their GDPR compliance,” said Peter Gooch, cyber risk partner at Deloitte.
Deloitte has stated that in the six months GDPR has been in effect, more than two-thirds of organisations who took part in their global survey (consisting of answers supplied by 1,100 organisations) have been responding to customer data requests late.
Gooch continued: “Given the complexities of such programmes and increased consumer awareness of such requests, we would expect some bedding-in time. However, our research found that a fifth of organisations only aimed for bare minimum compliance back in May, which may be indicative of the delays some customers are currently experiencing.”
The GDPR timeframe for handling data requests submitted by the consumer (for example, the option to opt out of direct marketing or to erase their details from company systems) is one month. Although statistics for the fulfilment of this are low, it is an improvement on previous measures.
“That said, 33% of organisations surveyed continue to invest in their privacy practices, including in technology and talent,” said Gooch. “Since May, 70% of organisations surveyed have seen an increase in staff who are either partly or fully focused on GDPR compliance. For many, this included the recruitment of a dedicated Data Protection Officer (DPO). Of the countries surveyed, the UK leads in this respect, with 92% of respondents assigning a DPO.”
With DPO’s now being assigned role-specific responsibilities to handle GDPR guidelines, the number of businesses who are handling data requests in a timely manner should increase.
Gooch concluded: “Overall, organisations are taking the right steps in continuing their GDPR implementation and the majority (92%) felt confident in demonstrating their ability to conform in the long-term. In the immediate term, though, many will need to address today’s pressure to respond to data requests. This is particularly the case as online tools, enabling consumers to make mass data requests, increase in popularity.
“Those that are currently responding with some delay will need to take a more customer-centric approach, not only to meet the existing volume, but also the influx of requests their tools could create.”