With one year to go, businesses are entering the audit process of getting themselves ready for GDPR
Today (25th May) marks the start of the one-year countdown until the headline hitting Global Data Protection Regulations (GDPR) come into effect for organisations across Europe, ushering in a new era of data privacy.
There has been much written about the level of understanding within businesses with one study from last year saying that just four percent of UK businesses are aware of the impact the new legislation will have.
But recent DMA research suggests that nearly half (46 percent) of businesses will not be ready in time for GDPR, down from 68 percent in February, suggesting that organisations are moving from a state of awareness about the laws, to one of understanding and preparation.
Best laid plans
This was one of the main themes to emerge from a Kaspersky Lab-hosted roundtable attended by Silicon, where discussion centred around the steps needed to achieve compliance and the issues firms are facing.
"What we're seeing from a TechUK point of view at the moment is a real move from awareness that GDPR is coming to a greater understanding about what exactly is coming in a year's time and what they need to be ready for," said Sue Daley, head of cloud, data, analytics and AI at TechUK.
"Businesses are in a process of getting ready. GDPR is going to impact every organisation in the UK, whether they're large, whether they're small, whether they're medium sized. This is for everybody to think about what they need to do to become compliant.
"We're now moving from that awareness that something is coming to an understanding about how it's going to impact businesses. People are definitely looking at it and are feeding into the process."
This was echoed by Jo Bance, head of global marketing at SQS, who said: "It's definitely gone through this stage of 'what is it and does it impact us?' to then giving someone the Data Privacy Officer (DPO) responsibility and having someone being responsible in the company for really breaking it down.
"There's a lot of legal jargon and you need to understand it internally, so it's going through that cycle of awareness."
Bance highlighted how businesses are now breaking down each piece of the legislation to figure out how it impacts each specific department, although admitted that this was developing slower than she had been expected.
Caroline Hinton, head of HR at radio production company Somethin' Else, provided a real-time view of the GDPR process, explaining how her company is currently going through an "audit stage" with regards to the data it holds.
"We already process data, we already have certain standards of how we deal with confidential data, so it's just auditing what the differences are for the new regulations, where the key potential pinch points might come and then working through the various scenarios about how we get compliant," said Hinton.
"It's a lot of amending existing procedures or justifying where those procedures come from. We're definitely at that stage of moving from thinking to doing."
Evolution, not revolution
And the continuity point raised by Hinton is an important one. Businesses need to be aware that they will already be compliant with certain aspects of GDPR, which is essentially an upgrade to the 1998 Data Protection Act (DPA).
"It's important to raise the point that not everything in GDPR will be new," said Daley. "There's a lot in there that organisations will already be doing and will be very familiar to them.
"But there are some new aspects like data portability, right to be forgotten, breach notification that will be new and organisations need to think about. But I think a good message to send is that not everything will be new."
Of course there is still a lot of work for businesses, but understanding that they don't have to start completely from scratch can go a long way to alleviating some of the pressure that accompanies such a big regulatory change.
"It doesn't matter what area of business you're in, you're going to be affected by GDPR," concluded David Emm, principal security researcher at Kaspersky lab. "The task ahead might look daunting, but businesses and individual departments are already making good progress in getting their data health in order.
"To help get them over the line and keep the business running at optimum performance, processes relating to the security of personal data need to be strengthened and maintained across the board."
With twelve months to go, now is the time for businesses to start putting their best laid plans into action and make sure they are moving from awareness, to a true understanding of what is required.