GDPR has been in place for eight months but, considering how much worry there was about its implementation, how did companies find the process of getting up to speed?
For all of the confusion, fear and discussion among business owners that surrounded the arrival of General Data Protection Regulation (GDPR), more than half a year has now passed by since the legislation came into action on Friday May 25 2018.
Although Brexit has replaced GDPR as the hot topic on the tip of entrepreneurs’ tongues, the data protection act can’t just be forgotten. Non-compliance comes with the risk of a €20m fine or 4% of turnover, whichever is highest, making it abundantly clear GDPR isn’t something that can be swept under the rug.
But a study conducted by Imperva, the cybersecurity specialist, revealed 28% of organisations felt they weren’t completely compliant with GDPR. And alarmingly, this sentiment was in August 2018, some three months after its launch.
Terry Ray, CTO of Imperva, said: “Any company that put GDPR off until the last minute now realises compliance cannot be achieved overnight. It does not surprise me that many organisations feel unsure about the idea of a GDPR audit. The truth is many would fail.” Despite the seemingly lax approach that many firms had to get up to speed, it shouldn’t be forgotten the consequences are severe. And it’s not just that it could cost your business fines if you fail to comply.
Highlighting the importance of GDPR’s implementation, Phil Chambers, chief operating officer at Metro Communications, the dark web services company, says: “A recent FOI request to the Information Commissioner’s Office showed that the number of reported data security breaches had risen by three quarters over the past two years, with an overwhelming proportion being down to human error.” With employees responsible for such a broad spectrum of personal information being penetrated, as well as hackers actively looking to smash through companies’ closed digital doors, there is much to consider. “You can see why the implementation of GDPR was needed,” continues Chambers. “All companies, including smaller businesses, must approach information security as business critical.”
As Metro Communications operates in the cybersecurity sector, it was well aware of GDPR’s arrival, so much of the necessary preparation was already taken care of. “We’re relatively new, so all our marketing and data governance was developed with the knowledge that GDPR was coming,” says Chambers. “As a result we haven’t had to make many changes to avoid GDPR pitfalls.” He concedes that other SMEs would have found compliance quite an uphill struggle though: “Many of them already have stretched resources and small teams. The strain was particularly felt by those B2C businesses – some had to completely change how they communicated with customers.”
The team at Find Me A Gift, the online retail company, knows all too well what an arduous task getting GDPR-ready was. Indeed, it was nothing less than a “massive undertaking” according to Adam Gore, director and co-owner of Find Me A Gift. “It’s taken a lot of time working through all the changes in how we hold, process and secure personal data,” he says. “Weeks of staff training not to mention the constant auditing to ensure our staff and customer data is safe and secure.”
Building on such challenges, Jon Cano-Lopez, CEO at REaD Group, the data communications company, says part of it has been down to misinformation surrounding GDPR both before and after its arrival. “There are many intricate parts of the legislation, covering all aspects of data collection, storage and processing,” details Cano-Lopez. “It impacts on IT systems, data management, information security, website design, HR practice and more.” As there was never a requirement for companies to have such expertise within their four walls, it meant they would have paid out for external outfits to provide support. “For startups, which typically will have a small group of founders covering multiple roles and responsibilities, meeting new requirements represents a huge investment of time and money,” he adds.
It’s fair to say Cano-Lopez hit the nail on the head by discussing expenses. Spending money has been the biggest downside to ensure Find Me A Gift’s compliance, explains Gore. “The biggest con to GDPR for our business has been the cost,” he says. With external training to educate staff in GDPR, joining the government scheme Cyber Essential to protect the site and give customers peace of mind, new IT developments to secure supplier access to orders and so on, fees have mounted up. “Data mapping also took an extremely long time to gather, analyse data sources, agree retention periods and record the reason for holding the data,” Gore adds.
It’s not all doom and gloom, however. Find Me A Gift had also experienced benefits to offer some balance to the problems. “The pros have been added security of personal data to protect us, our customers and employees,” says Gore. He points to more understanding of where and why data is being kept and transparency with staff and customers about it as other bonuses. “GDPR helped us cleanse our systems and files of unnecessary data,” Gore continues. “It has been a cathartic process to go through as it has driven us to care more about personal data, how we process it and its retention. Overall this has been a positive exercise to go through as it has enabled us to manage risks to the business that aren’t normally given the focus they should have.”