A new poll shows how heavily implementing GDPR has affected the resources of organisations. It has resulted in organisations having to hire additional staff or external consultants as they lacked the right skills and resources in-house. This has led to significant extra costs that in some cases are still increasing.
According to Peter Swabey, Policy and Research Director at ICSA: The Governance Institute: “Achieving full compliance has been extremely time-consuming for many organisations and there is some concern that ongoing compliance will continue to be burdensome.
“Many of the areas that were named as being problematic – coordination between jurisdictions; group-wide solutions; third-party engagement; and staff training – will continue to be of importance and will require organisations to review processes and procedures on an ongoing basis. It is important for organisations to keep in mind that 25 May was just the start.”
What was the poll seeking to find out?
Enterprise Times spoke to ICSA to find out more about the poll. ICSA regularly polls its members and has a list of over 500 company secretary’s and senior staff. These are spread over the public and private sectors and includes several not-for-profit organisations. In this case, 82 people sent back responses.
The poll was looking to find out four things:
- Were organisations compliant by 25 May: Just 50% said yes. 27% said no and the remaining 23% didn’t know. This figure is worse than many polls that ET has seen.
- How much of a burden on resources was getting ready for GDPR: 78% said that GDPR had placed a heavy burden on their resources. This is a worrying high number. While GDPR has had an implementation burden on all affected organisations, when spread out over two years, it should have been manageable. This high number suggests that organisations left it late to get started.
- What was the overall impact on organisations during this time: Many lacked trained staff to do the work. The result was the need to bring in costly contractors and outsource the task. With many organisations outsourcing the work, it raised costs considerably.
- What were some of the problems that organisations faced: Data mapping was the biggest issue. One respondent said: “We started the exercise last summer but the data mapping took months. By the time we were ready to analyse it with our lawyers, they themselves were inundated and took some time to produce our GDPR readiness report.”
The poll did not ask organisations when they started to prepare for GDPR. Other polls that ET has seen and spoken to companies about have shown that GDPR preparation has often been very last minute. GDPR was passed as a law in April 14, 2016 and not May 25, 2018. The gap between the two dates was intended to give organisations time to prepare for its impact.
Good and bad in the results
There is good and bad news here. The bad news is that organisations have failed to take full advantage of the time they had to prepare for GDPR. While the UK ICO has said that it won’t be sending armies of auditors into organisations immediately, it doesn’t mean it won’t start issuing fines where non-compliance becomes known.
Just half of those who responded were ready two weeks ago. This will make many boards nervous. They will want to know how much longer it will take before this is ticked off their risk schedule. The question here is how many put it on their risk schedule in 2016? The answer is likely to be very few.
It is interesting to hear respondents admit that one of the big challenges was their own lawyers. Whoever was project managing GDPR either internally or externally should have known legal signoff was required. It follows that booking time with lawyers should have happened well in advance as part of the project planning. This just indicates a failure to plan and prepare for GDPR.
Not everything is gloom and doom. One respondent wrote: “It has taken a considerable amount of time, but has provided us with a good opportunity to review contracts and arrangements with external suppliers.” Another one replied: “It will improve our approach to data handling and ensure that our housekeeping is much better. It is definitely a good thing, but, for an SME with limited resources, implementation has been quite painful.”
What does this mean
GDPR is the biggest shake up many organisations have had in how they handle personal data. It has forced companies to now only review what they hold but why. They have had to develop legally acceptable processes for dealing with data requests and data erasure.
Those with an online presence have also had to disclose who else sees data when you visit their website. This has led to many US sites still refusing access to EU visitors. Part of this is that it impacts their revenue model from partners. It is also related to the problems identified in this poll, specifically the complexity of data mapping and the creation of legally approved processes.
Overall, however, there is a more serious takeaway from this poll. GDPR was passed into law in April 2016. At that point, if not before, it should have been an item on the corporate risk register. It seems that many organisations failed to recognise the risk. The two years to get ready should have been more than adequate to review data models. This is because GDPR builds on existing privacy laws. The time taken strongly suggests than many organisations were not in compliance with those existing laws.
It will be interesting to see how long it takes before ICSA asks the question of GDPR compliance and gets a 100% response.