The European Union (EU) General Data Protection Regulation (GDPR) is one of the most talked about directives to emerge over the past few years, and certainly one of the most important changes in data privacy regulation in recent times.
GDPR is intended to protect all EU citizens from privacy and data breaches, a long overdue update given that the previous directive was established way back in 1995, right at the outset of the internet age. The volume of data that organisations now hold on citizens has grown phenomenally since that time, and it is vital for citizens to feel their personal data is safe and protected.
So businesses need to get their house in order, especially given that the new legislation applies to any organisation in the world that holds or collects data on citizens in Europe. Failing to achieve compliance with GDPR could result in penalties of up to €20m or 4% of annual turnover, whichever is higher.
Given those penalties, you would think that organisations all over the world are taking GDPR very seriously indeed. And you would be mistaken, if new research out last month is to be believed.
Is GDPR compliance really not relevant?
The survey of 1,350 non-IT business decision makers across 11 countries, commissioned by NTT Security, revealed that only 39% of UK decision makers believe that GDPR applies to them, the lowest of all the European countries surveyed, including Germany, Austria, France, Sweden, Norway and Switzerland. 20% of UK respondents did not know if GDPR applies to them or not.
The most informed respondents were in Switzerland, where 58% said the rules apply to them, followed by Germany and Austria, where 53% recognise that the new data protection rules apply to them. Further afield, only one-quarter of US respondents believe the GDPR applies to them, while 20% said they do not know. In Australia just 26% believe the new rules apply to them, while 19% said they do not know.
The situation outside of Europe is interesting, given that the legislation could apply to any organisation anywhere in the world with European citizen data.
Addressing GDPR with automation
Part of the reason that so many global firms appear to be in the dark about GDPR is that compliance is rarely the board-level priority it needs to be. The answer to overcoming this lies in addressing GDPR as part of an overall continuous compliance programme, rather than a project to be started and eventually finished.
Being supported in a continuous process by external experts will allow an organisation to drive GDPR more efficiently and to reach the desired results from a compliance perspective. Digital compliance allows external experts to continuously support and advise the company by providing compliance action plan supervision in real time.
Approached in this way – supported by automation of processes to ensure nothing falls through the cracks – means an organisation anywhere in the world will know precisely how GDPR relates to their business and data. They can then assess what they must change in order to be compliant and ensure there are no fines come the 25 May 2018 deadline for GDPR compliance.