Deloitte comments on biggest overhaul of data protection rules
22 May 2018
Peter Gooch, cyber risk partner at Deloitte, said:
“GDPR is the biggest overhaul of Europe-wide data protection rules since the 1995 EU Data Protection Directive, covering organisations of all sizes and sectors, and introducing new business responsibilities. The complexity of GDPR has already seen many organisations opting to mitigate risk, rather than strive for full compliance.
“According to a recent survey Deloitte conducted, just 15% of organisations are aiming to be fully compliant by the 25th of May. It’s likely that everyone in the UK will have their data held in breach of the regulation in one shape or form.
“Nevertheless, fines could amount to 4% of global turnover. Organisations are very aware of this as they implement their GDPR strategies.”
On ‘re-consenting’, such as opting in to newsletters, Gooch added:
“Re-consenting exercises are seeing response rates as low as 10%, drastically reducing the reach of campaigns, but at the same time reaching on average a much more engaged audience.”
Facts and figures on General Data Protection Regulation (GDPR):
- As of 25th May, significant personal data breaches must be reported to the regulator within 72 hours and potentially to customers without “undue delay”;
- Fines could potentially be up to 4% of global turnover; and
- A re-consenting exercise may be required in instances where current consent gathering does not meet GDPR’s higher standards.
Findings of 2017 Deloitte survey:
- By 25th May, just 15% of organisations surveyed by Deloitte in December expected to be fully compliant;
- By 25th May, just 38% of data controllers expected to have reviewed all processing contracts;
- 17% of organisations planned to introduce a new solution to manage consent;
- Just 35% of organisations had a data breach reporting procedure aligned to GDPR requirements;
- Less than half (48%) of organisations had a Privacy Impact Assessment procedure in place;
- 52% of organisations had chosen a risk-based, defensible position; and
- 33% organisations had not determined headcount increase requirements.
The survey in full can be found here.
Five greatest challenges to organisations:
- Ensuring that consent to hold data - where required - is informed, unambiguous and recorded;
- Developing a culture of privacy by default, while not strangling the business of the benefits of appropriate data use;
- Keeping record of decisions and positions of accountability, and demonstrating compliance;
- Estimating and securing the operational and headcount requirements to deal with the new regime long-term; and
- Transitioning programme activities that have been running into sustainable business as usual activities.
Top tips for organisations:
- Ensure all data holders are made aware of their accountability for handling personal data;
- Agree responsibilities across different parts of the organisation and ensure the approach is consistent;
- Perform risk and cost-benefit analysis to ensure any GDPR strategy meets appropriate requirements;
- Ensure internal messaging sets out the importance of the topic and the role of the individual; and
- Define a long-term operating model that ensures technology and responsibilities are monitored and assessed on an ongoing basis.
Notes to editors
In this press release references to “Deloitte” are references to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”) a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see deloitte.com/about for a detailed description of the legal structure of DTTL and its member firms.
Deloitte LLP is a subsidiary of Deloitte NWE LLP, which is a member firm of DTTL, and is among the UK's leading professional services firms.
The information contained in this press release is correct at the time of going to press.
For more information, please visit www.deloitte.co.uk
Member of Deloitte Touche Tohmatsu Limited