One in four UK businesses are deaf to the biggest shake-up in data protection law in 20 years, a report out today suggests.
And nearly one in two have failed to start preparing for the enactment of the new legislation in a year’s time, notes the survey from the Ipsos Mori market research group and legal firm Brodies.
An information audit is an essential building block for a compliance strategyGrant Campbell
• READ MORE: Legal sector news
The general data protection regulation (GDPR) comes into force on 25 May 2018 and will impose strict new rules on the way that organisations collect, store and use personal data.
Currently, the Information Commissioner has powers to issue fines of up to £500,000 for data breaches. However, under the GDPR the maximum fine for the most severe breaches will be €20 million (£17m) or 4 per cent of the worldwide turnover of a business.
Elizabeth Denham, UK Information Commissioner, said: “Together with government and European authorities, we’ve been reaching out to organisations to help them get ready for GDPR since March 2016, but we know there are organisations which have yet to engage. With one year to go, there’s still time to prepare, but there’s no time to waste.”
Grant Campbell, head of Brodies’ commercial services division, added: “These survey results show that, for many, there is a lot of work to do if GDPR compliance is to be achieved by May 2018.
“While 67 per cent of organisations are confident that they will be ready, it is difficult to reconcile that statistic with the finding that over half of organisations have not (or don’t know whether they have) conducted an information audit, which is an essential building block for a compliance strategy.”
The regulation, which replaces the current Data Protection Act 1998, will also herald the end of the pre-ticked “opt-in” boxes that are widely used on websites for marketing purposes.
Instead, those handling personal data will be required to seek consent through “affirmative action” from individuals and will have to explain to them how their data will be used, how long it will be kept and how it will be safeguarded.
Today’s survey says that as a first step towards compliance, organisations that handle personal data should carry out an “information audit” to identify “what personal data they hold, where they hold it, where it came from, what they use it for and with whom it is shared”.
Despite 74 per cent of the 92 respondents believing GDPR will have a “high” or “medium” impact on their organisation, 45 per cent have yet to carry out such an audit.