More work needs to be done by organisations to ensure they are compliant with the European Union’s General Data Protection Regulations (GDPR) which are due to come into force in May 2018. While organisations are for the most part aware of upcoming data protection obligations, levels of maturity to meet the new standards are as yet still low. On average, organizations are only complaint with 37% of the principles laid out in the GDPR. Organisations failing to comply with the GDPR after its implementation in May 2018 could face fines as high as 4% of global annual turnover.
DLA Piper’s Global Data Privacy Snapshot 2017 notes that some industries are progressing towards compliance better than others. The hospitality and banking sectors are ahead of the rest with 48% and 43% compliance respectively, while healthcare and manufacturing were at the bottom end of the scale with 34% and 35% compliance. The report didn’t reveal any correlation between size of organisation and level of compliance, neither did it show any significant variation between organizations that were regional, national or global.
Patrick Van Eecke, Partner and Global Co-Chair of DLA Piper’s Data Protection practice, said: “The responses show that many organizations still have work to do on their data protection procedures. Any organizations operating in Europe will need to see major improvements in their score by May 2018 if they are to avoid potentially heavy financial penalties under the GDPR, not to mention serious reputational damage as people become more and more aware of their rights in this area.
“With more and more organizations putting data at centre stage, data protection will become an increasingly prominent issue. It is vital that organizations invest now in the strategy and processes needed to help them to meet their obligations.”
Jim Halpert, the US Co-Chair of DLA Piper’s Global Data Protection practice, said: “As privacy requirements, such as privacy by design, data portability and extensively documenting a privacy program, become more complex, compliance demands significant operational work that takes time. In this sense, the results are not surprising. However, the time step up compliance efforts is this year, not next.”
The GDPR will apply to processing carried out by organizations operating within the EU and to organisations outside the EU that offer goods or services to individuals in the EU. The UK government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.