GDPR: These are the organisations which are least prepared

With under four months to go until the new data protection legislation is enforced, some of the organisations most reliant on using personal data aren't ready for the new rules.
Written by Danny Palmer, Senior Writer

Video: Five things you need to know about GDPR

The organisations most reliant on collecting, analysing, and using personal data are some of the least well-equipped to deal with incoming data protection regulation legislation -- just months before it's due to come into force.

Those who are found not to be compliant with the General Data Protection Regulation (GDPR) -- a new set of rules from the European Union which aims to simplify data protection laws and provide citizens across all member states with more control over their personal data -- could face fines if found to misuse, exploit, lose, or otherwise mishandle personal data.

Once GDPR comes into force from 25 May 2018, the financial penalties for failing to comply, especially if the organisation is hacked and found to be negligent, could potentially reach four percent of company turnover.

However, a report by analysts Forrester suggests that many organisations may not be GDPR compliant by 25 May: just a quarter of organisations across Europe are thought to be GDPR compliant already, while another 22 percent expect to be GDPR compliant in the next 12 months.

But, despite GDPR becoming law in just under four months, Forrester found that 11 percent of organisations are still considering what to do about it, while eight percent of organisations aren't familiar with GDPR at all.

Forrester's research found that it's organisations in media and retail -- sectors which handle some of the largest amounts of customers' personal data -- are currently the least prepared for GDPR, with just 27 reported to be fully GDPR-compliant.

See also: What is GDPR? Everything you need to know about the new general data protection regulations

These firms are typically based around data-driven activities related to direct marketing, personalisation, and customer profiling, but many have only recently started to take GDPR seriously. Indeed, some firms in media and retail have only begun making moves towards GDPR compliance "under the pressure of their own customers", says The State of GDPR Readiness report.


Retailers are said to be some of the organisations least prepared for GDPR.

Image: iStock

Among the industry-specific issues retailers will need to be prepared for are ensuring compliance with rules regarding consent and data subject rights, including the right to be forgotten.

Download now: Data classification policy

That's in addition to ensuring that all data is protected from internal or external misuse, and that in the event of a data breach, all customers and the authorities are informed about the data that's potentially at risk within 72 hours following the discovery of the breach.

The reason why media and retail lag behind others when it comes to preparing for GDPR is because "firms in these verticals haven't traditionally been subjected to high regulatory pressures", Enza Iannopollo, analyst on security and risk at Forrester and author of the report told ZDNet.

"In addition, these organisations do not have a well-defined approach to risk management, which also contribute to delay the execution of their GDPR compliance strategies," she added.

While media and retail lag behind on GDPR compliance, it is finance which leads the way in being prepared for the new legislation: the banking sector is highly aware of the damage which could be done if data was exposed or otherwise mishandled - and that not being GDPR compliant could result in additional regulations for financial firms, something which many in the industry may view as unwanted.

The Forrester report also details how there are still large numbers of organisations around the world who mistakenly that GDPR doesn't apply to them. But if an organisation does business or has customers in a European Union country -- especially if data about customers is collected -- they need to comply with GDPR.

A recent UK government report suggested that under half of businesses are aware of the upcoming GDPR laws or what they mean for information security is handled.

Recent and related coverage

GDPR: Deadline looms but businesses still aren't ready

The UK government is warning organisations that they must prepare for new data protection laws now -- or face the consequences when they come into force.

Trevor Hughes: How companies should prepare for GDPR

Trevor Hughes, president and CEO of the International Association of Privacy Professionals, explains how companies should prepare for GDPR and respond to global political uncertainty.

Ahead of GDPR, Segment sees growing pushback against third-party data sharing

The customer data platform is offering new features to comply with the impending rules, which fit into the platform's focus on first-party data.

Why US law firms will be affected by GDPR(TechRepublic)

Relativity's David Horrigan explained how the GDPR can help your company streamline operations and improve customer confidence.


Editorial standards