Polls show companies are not yet ready for GDPR

Clock counting down to GDPR

With GDPR day fast approaching, organisations across Europe should be working towards full GDPR compliance. However, recent polls during VinciWorks’ webinar, GDPR – 10 steps to take before May, show that businesses still lack clarity and direction on how to prepare for the new data protection laws under GDPR.

Below are some of the key findings of the polls and guidance on how we can make sure we are ready for GDPR, or at least on the way to full compliance, come GDPR day.

Click here to download a free recording of the webinar

Preparing for new rights under GDPR

Chart showing how prepared people feel for the new GDPR rights

While less than 5% of organisations had fully prepared for the new right of individuals under GDPR, a worrying 35% feel that they are not at all prepared for the new rights.

What are the new rights under GDPR?

Right to erasure

This is one of the most talked-about innovations of GDPR. It means that someone can request the deletion or removal of their personal data, including information published or processed online.

Data Portability

While people already had the right to access their data through a subject access request, now it will have to be provided in a way that makes it easy for a computer to read (e.g. via a spreadsheet). A person can also request for their data to be transferred directly to another system for free. This could mean transferring all of your photos from one social network to another, or content from one cloud provider to another.

What should we do with our marketing lists?

Chart showing what marketers are planning on doing with their lists

In June 2017, Pub chain J.D. Weatherspoon announced that it would be deleting its entire marketing list, saying “Many companies use emails to promote themselves, but we don’t want to take this approach”. They felt that holding such a large amount of data was too high a risk. While only a small amount of respondents plan to follow in J.D. Weatherspoon’s footsteps, 49% were not yet sure what to do with their lists. “The first thing you should be doing is mapping your data. This means finding out what you have, where it is, who is in control of it and how it is used”, says Nick Henderson, Director of Course Development at VinciWorks.

18% of organisations do not know what a Data Protection Impact Assessment (DPIA) is

A table showing how many companies have carried out a DPIA

Carrying out a DPIA can be a timely process, so it is worrying that so many organisations had never heard of the term prior to the webinar, with a further 45% having not started their DPIA.

What is a DPIA?

A DPIA is essentially a risk assessment an organisation might take when they are about to take on any big new projects that might impact data protection. It’s also a good idea to conduct them on current data processing activities. It contains a detailed description of the processing operations, an assessment of risks, and what controls have been or need to be put in place to protect people’s information. Ideally, the DPIA should be integrated into the project plan. In some very risky situations, you may need to consult with the ICO and share the DPIA with them.

Processing subject access requests

Chart showing the number of subject access requests processed

With over 60% of organisations having never processed a subject access request, businesses may lack clarity and understanding on how to process a request.

What is a subject access request?

A subject access request is a request by a data subject to obtain all the data your organisation holds on them. Under the new right under GDPR called data portability, an individual can now request for free that all their data be transferred to another system, a service that under the UK Data Protection Act 1998 costs £10.

GDPR compliance assessment

How ready are you for GDPR? Have you conducted any GDPR focused data audits? Have you updated privacy notices for GDPR? Take our short assessment to assess your level of compliance under GDPR, with a score and helpful feedback given upon completion.

Take assessment

Preparing for GDPR day – 10 things to do now

VinciWorks has created a short guide to help organisations see what they still need to do to prepare for GDPR. The guide is also part of our GDPR resources page.

Download resources page

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

“In a world older and more complete than ours they move finished and complete, gifted with extensions of the senses we have lost or never attained, living by voices we shall never hear.”

Picture of James

James

VinciWorks CEO, VInciWorks

Spending time looking for your parcel around the neighbourhood is a thing of the past. That’s a promise.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

How are you managing your GDPR compliance requirements?

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.

GDPR added a significant compliance burden on DPOs and data processors. Data breaches must be reported to the authorities within 72 hours, each new data processing activity needs to be documented and Data Protection Impact Assessments (DPIA) must be carried out for processing that is likely to result in a high risk to individuals. Penalties for breaching GDPR can reach into the tens of millions of Euros.