Dan Kitwood/Getty Images
show image

Oscar Williams

News editor

Top UK firms are overestimating how prepared they are for GDPR

Most of the UK’s top firms are significantly overestimating how prepared they are for the EU’s upcoming General Data Protection Regulation, new research suggests.

The far reaching regulation comes into force in less than five months and introduces fines of up to four per cent of annual global turnover for firms that breach its rules.

But despite the threat of crippling penalties, the majority of FTSE 350 and Fortune 500 firms are failing to take appropriate measures to become compliant, according to a survey by law firm Paul Hastings.

The firm found 94 per cent of top UK firms and 98 per cent of top US firms think they are on track to comply with the regulations. However, fewer than half (39 per cent in the UK and 47 per cent in the US) have established an internal GDPR taskforce, only a third have commissioned third party GDPR gap analysis and only a third have hired a third party consultant.

In addition, only 29 per cent of top UK firms and 18 per cent of top US firms have hired a data protection officer, even though this is a key requirement for businesses that monitor individuals on a “large scale”.

“Achieving GDPR compliance is an enormous task, which in our experience almost inevitably requires dedicated resources and budget,” said Behnam Dayanim, a partner at Paul Hastings.

“Against that backdrop, the confidence among major corporations revealed in our survey seems mismatched with those same businesses’ reports of their implementation efforts,” he said.

Firms are almost guaranteed to “carry a quantum of illegality into May 2018 and beyond”, Stuart Room, global head of cyber security and data protection legal services at PwC, told delegates at IP Expo in October. The “maturity levels are such that the GDPR is impossible for most organisations”, he added, citing PwC’s readiness assessments.

“The lawmakers assumed the GDPR would be deliverable, but the evidence of the economy is something totally different,” he said. “Because of those false assumptions, we will end up in inevitable failure. Regardless of the amount of time and resources you may have, you will never deliver on the GDPR as designed.”

PwC’s own research, Room said, shows that regulators care most about data protection. As such, organisations must put risk at the heart of their compliance efforts. Reviewing who or what represents the biggest threats to their data is the best place to start, he concluded.