GDPR Journey: from ready to compliant.
GDPR survey results
Readiness at a glance
The General Data Protection Regulation (or ‘GDPR’) took full effect on 25 May 2018. As a key data protection regulation, the GDPR has changed the way organisations treat personal data. The regulation has introduced many changes to data protection, including broadening territorial applicability and scope, enhancing and extending the data protection principles, shortening timelines, and making data processors accountable along with data controllers for the personal data processing. Previously, Deloitte Ireland published a number of articles about the GDPR and its impact on the organisation, which can be found on our website.
Deloitte Ireland carried out a survey to gain an understanding on how Irish organisations are tackling the challenges that the GDPR imposes. At a glance, the survey revealed that organisations addressed a number of the GDPR requirements, and reached a defensible position. However, GDPR compliance is not a once off project. Instead, it is wide range of activities required to ensure continuous management of the risk going forward. Furthermore, the principle of accountability requires organisations to be able to show compliance with the data protection principles. Accountability obligations are ongoing and are not a ‘tick the box’ exercise, but instead, require organisations to be proactive for the personal data that they process in order to demonstrate their compliance with the regulation.
This article outlines an overview of challenges that Irish organisations faced and how they stand now that the regulation is live.
High Level Overview of Preparation Activities Compliance with the GDPR required significant effort in addition to specific knowledge and expertise. The challenges that the regulation presented were significant for organisations. Not all organisations had a capacity to have a full-time team dedicated to implement solutions to comply with GDPR into their environment. Therefore, it was not surprising to learn that only 14% of organisations noted that they were ready for the regulation and deemed themselves as fully compliant. The remaining participants indicated being partially compliant.
Possibly the most impactful drivers to comply with the regulation were the changes in the administrative fines for non-compliance or violation. The fines are defined as the following:
• The lessor threshold is a potential fine of €10 million or 2% of total worldwide annual turnover (whichever is greater) for serious breaches; and
• The higher threshold is a potential fine of €20 million or 4% of total worldwide annual turnover (whichever is greater) for very serious breaches.
Therefore, it was not surprising to learn that for more than 50% of respondents high fines acted as an effective motivator to start paying attention to data protection and privacy. What was surprising, however, is that 43% of the companies noted that their leadership already had privacy on their agenda.
To date organisations invested a substantial amount of resources in order to reach a certain level of compliance at the end of May 2018. However, it is important to carry on with the work they started during the preparation for the GDPR. The work will be ongoing and will remain so due to the ongoing requirements, complexities and challenges that organisations face.