Third Of European Businesses Not GDPR Compliant

ICO, data protection, GDPR

Over a year since it was introduced, 30 percent of European organisations are still not GDPR compliant

A significant number of European organisations have admitted that they are still not compliant with GDPR data protection rules.

A survey from tax audit advisors RSM found that 30 percent of European businesses are still not compliant with GDPR, despite it being over a year since it was introduced and the threat of hefty financial penalties.

Data protection is still costing firms dear. Facebook was recently fined $5bn for the Cambridge Analytica data-sharing scandal, and Marriot Hotels was stung with £99m fine. British Airways was hit with a £183m fine for a data breach.

GDPR EU

GDPR survey

The survey from RSM found that only 57 percent of businesses are confident that their business follows the rules, with a further 13 percent unsure either way.

It seems that there is no single issue to blame for non-compliance, but middle market businesses are apparently struggling to understand and implement a whole range of areas covered by the regulation.

The survey found that more than a third (38 percent) of non-compliant businesses do not understand when consent is required to hold and process data, 35 percent are unsure how they should monitor their employees’ use of personal data and 34 percent don’t understand what procedures are required to ensure third party supplier contracts are compliant.

The good news however is that despite the lack of compliance, GDPR is starting to have a positive impact on cyber security.

According to RSM, almost three quarters (73 percent) of European businesses say GDPR has encouraged them to improve the way they manage customer data and 62 percent say it has seen them increase their investment in cyber security. But alarmingly 21 percent of businesses admit that they still have no cyber security strategy in place.

“With so much pressure on organisations to meet complex requirements, we saw GDPR fatigue setting in last year,” said Steven Snaith, Technology Risk Assurance Partner at RSM UK.

“”Middle market businesses were overwhelmed by information from the press, industry bodies and stakeholders,” Snaith added. “Many organisations simply gave up and reverted back to the old way of doing things.”

“But there are signs that this fatigue is about to fade. High-profile fines across Europe have demonstrated that regulators across the EU are serious about enforcement,” he added. “Businesses are scrambling to catch up once again.”

Industry view

“We live in an age when trust is increasingly top-of-mind, and this will only get more heightened as technology becomes more commonplace and pivotal to everyday life,” said Haroon Malik, Director of Cyber Security Consulting at Fujitsu.

“GDPR helps cement a responsible attitude towards data and privacy across all industries, and the fact that nearly a third of European firms are still not GDPR compliant is worrying,” said Malik. “As the amount of companies fined for breaking laws protecting consumers’ data begin to pile up – and these fines have the potential to dent a company’s reputation – more organisations need to start taking GDPR seriously.”

“But this is by no means a reason to panic,” he said. “Whilst some firms are still working to understand how GDPR is applied to their business model or industry, compared to five or six years ago, there’s been a real change in how companies use and process data. One year after GDPR came into force, businesses have become more mindful of how and why they collect and store data and are taking steps to process this in a lawful way.”

Do you know all about security? Try our quiz!