As is widely known, the European Union General Data Protection Regulation, which replaces Directive 95/46/EC, will come into force in May 2018 and will bring relevant changes to all stakeholders: DPAs, individuals, controller and processor organizations. In order to help organizations understand the key operational impacts of the regulation and to stimulate their internal change, the Centre for Information Policy Leadership – a global privacy and security think tank that works to advance privacy and security policy, law and practice – launched a survey (respondents were both data controllers and data processors of multinational organizations with an annual revenue size ranged from less than $1 million to more than $100 billion, that predominantly operated in Europe and in the US) to evaluate their progress towards true operationalization for GDPR readiness.
Below, a brief description of the principal findings.
In general, the results of the above mentioned survey, closed on September 2016, show that most of respondents carry on preparatory work, assessing the impact of GDPR on their operations, outlining implementation plans and evaluating the dedicated resources to be committed.
Respondents seem to be in varying stages of readiness in respect of implementing different GDPR compliance areas, with less than one third feeling fully or nearly compliant with key aspects of GDPR, but appearing to be less confident about newer requirements and obligations, such as individuals’ rights, which have expanded under the GDPR.
Regarding additional resources needed for GDPR implementation, organizations are already considering the impact of GDPR on their headcount and budget: less than one fifth of respondents organizations have actually committed either additional headcount, budget, or external counsel spend for GDPR implementation, almost half of respondents are still in discussions regarding additional resources and approximately 31 percent of the respondents will not have any additional resources made available for GDPR compliance.
Finally, the majority of organizations responding to the survey have already appointed a group or regional data protection officer, with only 15 percent not having this role at the time of response.
Of about 40 survey respondents who answered to the optional question about needs of additional guidance and clarification around the GDPR, they prioritized the following three areas as requiring further clarification: (i) legitimate interest (25 responses); (ii) privacy by design and pseudonymisation (23 responses); and (iii) DPIA and risk (21 responses). They are closely followed by the topics of breach notification, notice and consent and international data transfers. Some confusion appears also around the application of the right to data portability, with the majority of respondents saying it doesn’t apply to their organization, or that they are unsure (56 percent).
About the main concerns of the organizations, the survey reveals that respondents have identified the following areas where the GDPR will have the highest impact on their organization and compliance, requiring the most operational changes and considerable implementation effort:
- a) use and contracting with processors: almost a third of organizations (32 percent) have already started this process. However, almost 40 percent have not commenced work on the review of standard processing terms and renegotiation of existing contracts: that seems to be why a majority of the respondents already include the newly required terms in their contracts. From the processor organizations’ point of view, they would be most impacted by the GDPR in respect to: (i) documenting all data processing activities (43 percent), (ii) complying with the terms of the controller/processor agreements (27 percent) (iii) data transfers outside EU (23 percent).
- b) Data security and breach notification: the majority of survey respondents are well prepared for the breach notification obligations. More than 75 percent have internal reporting procedures, 78 percent have an incident response plan, and 64 percent have an incident response team. Such results are not surprising, given that 77 percent of respondents are already subject to data breach reporting obligations, either voluntary or mandatory, under other laws.
Less than a third of organizations appear to have implemented other best practice measures and procedures (such as conducting “dry runs” to practice response to breach scenarios or procuring cyber insurance, and only 28 percent currently engaging forensic experts), while the majority of organizations are also proactively implementing organizational and technical measures to minimize the likelihood and impact of a breach and the majority of organizations are carrying out a Data Privacy Impact Assessment in the circumstances of “high risk “processing as defined by the GDPR
Moreover, another concern relates to the GDPR’s stricter rules on consent: only a minority of the organizations would be able to meet the requirements for consent under the GDPR using their currents methods, while the legitimate interests processing is subject to strict conditions and balancing tests that require organizations to assess the impact on and any risks and harms to individual, These difficulties seem to be an obstacle to the organizations’ ability to use and re-use data, affecting company’s data strategy and business processes.