GDPR: Deadline looms but businesses still aren't ready

The UK government is warning organisations that they must prepare for new data protection laws now -- or face the consequences when they come into force.
Written by Danny Palmer, Senior Writer

Video: Five things you need to know about GDPR

Under half of businesses are aware of upcoming data protection laws they'll be subject to in just four months' time -- or what the new legislation means for how information security is handled.

A lack of awareness about the forthcoming introduction of General Data Protection Regulation (GDPR) -- a new set of rules from the European Union which aims to simplify data protection laws and provide citizens across all member states with more control over their personal data -- has led the UK government to issue a warning over businesses' lack of preparation for the change.

GDPR comes into force on 25 May 2018 and those who are found to misuse, exploit, lose, or otherwise mishandle personal data could potentially face huge fines: up to four percent of company turnover. Organisations could also face penalties if they're hacked and attempt to hide what happened from customers.

But, despite the risks associated with not being GDPR compliant, a government survey has found that many organisations aren't prepared -- or even aware -- of the legislation and how it will impact their security strategy.

Only one in four businesses in the construction sector are aware of GDPR, and awareness in manufacturing is also low. The finance and insurance sectors are said to have the highest awareness of the legislation.

Overall, the report says just under half of businesses -- including one-third of charities -- have made changes to their cybersecurity policies as a result of GDPR. Such preparations can include creating or improving cybersecurity procedures, hiring staff, and making concentrated efforts to update security software.

See also: Data classification policy (free PDF)

However, many still risk the prospect of being fined due to a lack of preparation, the government has warned.

"These figures show many organisations still need to act to make sure the personal data they hold is secure and they are prepared for our Data Protection Bill," said digital, culture, media and sport secretary Matt Hancock.

Organisations still have time to ensure that they're GDPR compliant, with Hancock pointing to free guidance available from the National Cyber Security Centre and the Information Commissioner's Office on how to ensure corporate cybersecurity policy is correct and up to date.

Rather than being fearful of GDPR, the ICO suggests organisations should embrace GDPR as a chance to improve how they do business.

"The GDPR offers a real opportunity to present themselves on the basis of how they respect the privacy of individuals, and over time this can play more of a role in consumer choice. Enhanced customer trust and more competitive advantage are just two of the benefits of getting it right," said information commissioner Elizabeth Denham.

Despite the UK preparing to leave the European Union, GDPR will still apply to organisations within the UK. The government says it will incorporate all GDPR rules issued by the European Union into a new Data Protection Bill scheduled for May.

Recent and related coverage

Ahead of GDPR, Segment sees growing pushback against third-party data sharing

The customer data platform is offering new features to comply with the impending rules, which fit into the platform's focus on first-party data.

Trevor Hughes: How companies should prepare for GDPR

Trevor Hughes, president and CEO of the International Association of Privacy Professionals, explains how companies should prepare for GDPR and respond to global political uncertainty.

Vendor Security Alliance tweaks auditing system to be GDPR compliant

The non-profit alliance has added GDPR compliance to its yearly vendor auditing system and announced it will be taking on new members for the first time.


Editorial standards