Organisations still struggle with GDPR compliance

UK businesses struggle to manage data access requests; many would rather pay breach penalty than beef up data security

More than 60 percent of UK businesses have seen a spike in data access requests in the past one year, said research by BPO business Parseq. Of these firms, 87 percent found it tough to effectively respond to the requests.

With the GDPR making it easier for people to access their personal data from organisations, the surge in requests is expected said Parseq managing director Craig Naylor-Smith. 

"However, the fact that so many firms have struggled to respond to the surge in requests suggests that the pressure this has put on businesses has been greater than they anticipated, or that many were simply unprepared for what the GDPR would bring," he added.

The GDPR was a necessary update on existing legislation to give customers control over what organisations can and can’t do with their data, Nicola Howell, senior compliance & EU privacy attorney at Dun & Bradstreet, told SC Media UK. 

"Before its implementation, businesses rushed to get consumers to ‘opt in’ to receive direct marketing. This led to the false impression that consent is always required before sending marketing. Although consent (or "opt in") is often required to send e-marketing to customers, it is not required in business to business (b2b) communications," she wrote in an email.

Adapting to the GDPR is a matter of perspective, Mimecast threat intelligence director Francis Gaffney told SC Media UK. "GDPR shouldn’t be a burden if businesses think through the lens of their customers, partners, or employees. If someone trusts you with their data, you owe it to them to protect it; to know exactly where that data is stored, and who can access that data," he said.

Data management might seem like a big task, but archiving specialists that can simplify the process of storage and access, he suggested. 

The GDPR has also made companies responsible for mismanagement or theft of this user data. The recent hefty fines on British Airways and Marriott owing to the respective data breaches were supposed to make organisations more vigilant and responsible.

However, a global survey by CyberArk found that 31 percent of organisations are willing to pay fines for non-compliance with major regulations but would not change security policies even after experiencing a cyber- attack.

This view seems to be strong in the UK, with 43 percent of organisations believing that attackers can infiltrate their networks each time they try. As organisations increase investments in automation and agility, a general lack of awareness about the existence of privileged credentials – across DevOps, robotic process automation (RPA) and in the cloud – is compounding risk, said the report.

Complicating the situation is the impending deadline for Brexit, which makes it necessary for the UK to have an alternative to the GDPR.

"In the (probable) near future, Brexit will add an extra layer of complexity in how companies manage their dealings with customers. The UK is going to have to move towards a third-party relationship, similar to India or Australia, and will need a separate data transfer agreement as we exit the EU," noted Howell.

"Until then, businesses need to prepare for the inevitable prospect of becoming a standalone state outside of Europe; there may not be a transitional period."

IT business leaders in Britain prefer to brush data breaches under the carpet, SC Media UK reported in May, during the first anniversary of the GDPR. The norm puts the onus of disclosure on the breached company.

"It's unfortunate that plenty of organisations are having to pay penalties for breaches – you only have to look a couple of weeks back to see BA and Marriott landing hefty fines from the ICO – but as these fines stack up, organisations will see how the financial, and non -financial, impacts of a breach now drastically outweigh the potential savings from not investing in security and data management solutions," said Gaffney.

iManage product marketing director David Moseley agrees, saying the GDPR is a more modern and robust approach, fit for the era of cloud computing and digital processing.

"Planned and executed well, becoming compliant with the GDPR was a great opportunity to change systems and processes to enable a better digital transformation to become more agile, competitive and better serve the needs of data subjects. Unfortunately, many businesses started too late, saw the problem as too big or did not assign ownership correctly," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews