The General Data Protection Regulation has been described as the most significant overhaul in data protection in a generation.
Statistics suggest that the majority of organisations are still not prepared despite the prospect of irreparable reputational damage and being fined €20m or four per cent of worldwide annual turnover if they do not comply.
Nicola Frost, head of legal and company secretary at Manchester-based cloud hosting firm UKFast, believes most firms won’t be compliant in time.
“Yes, ideally you could have started last summer, but GDPR is more about a culture shift within your business when it comes to data protection,” she says.
“Not everyone is going to be compliant by May; in fact I’d guess that only 25 per cent of businesses will be truly compliant by then.
“At the end of the day, the Information Commissioner’s Office (ICO) is going to look much more favourably on a business that’s actually tried to do something about it and tried to put safeguards in place than ones that have done absolutely nothing.”
She adds that having your journey to GDPR compliance supported by top stakeholders in the business is crucial.
“All it takes is one complaint to the Information Commissioner’s Office or one mistake from a staff member who’s not trained – so you’ve got to get buy-in from the top.
“People think that GDPR is an issue that just sits with the legal department or with compliance [but] it goes through every aspect of the business from somebody walking in at reception and signing their name. It permeates every operational aspect.”
Kim Smouter-Umans, head of public affairs and professional standards at ESOMAR, the global association for insights and data, echoes the same sentiment.
“Not panicking is a really important first step,” he says. “Data protection authorities have repeatedly said they don’t intend to begin with enforcement action from May 25 and that they’re actually planning to give some leeway as long as businesses can demonstrate that they’re working towards a compliance programme which is effective and which meets all the requirements.
“It’s also important to understand that there’s no expectation for an SME to have in place the same data protection measures as Microsoft or Apple would have.
“It’s not a one size fits all and there’s going to be a bit of judgement that needs to be made by each organisation to see what works and what doesn’t work.”
Edward Whittingham, managing director of the Business Fraud Prevention Partnership, says companies shouldn’t be panicked by scaremongering tactics.
“GDPR shouldn’t be feared, but embraced – yes, it does need our immediate attention and no, it isn’t going to be plain sailing – but it is important and needn’t be overly complicated, despite the scaremongering.”
Cloud hosting firm UKFast is providing free GDPR pocket guides containing valuable resources and guides from industry experts to help support businesses. Request your free copy here.