Our community looks at how compliant they are with the new legislation

With the General Data Protection Regulation (GDPR) finally taking effect at the end of May across the EU, we asked the Governance and Compliance and Core community to discuss how their organisations had responded to it.

The headline figure revealed that only half were ‘fully compliant’ on the enforcement date of 25 May, with roughly a quarter (27%) not fully compliant and the rest (23%) unsure.

One respondent reflected a common view across organisations: ‘Basics are in place; further refinements are necessary.’ Another said: ‘Given that compliance is an ongoing journey, I estimate we are more than 95% compliant at any point in time.’

Representing those not quite ready, one respondent said: ‘The organisation was very nearly fully compliant on 25 May, but there remained some outstanding contract amendments and a third party we rely upon for part of our business did not implement a technology solution on time.’

Contrasting the split in readiness, there was broad agreement that preparing for GDPR had taken its toll. Some 78% of respondents said it had been a heavy burden on their organisation’s resources, with 13% saying it had not and 9% unsure.

‘We simply did not have the internal resource to deal with a project of this nature,’ one person said. ‘We engaged external solicitors, but they themselves saw an increased workload, which reduced their response time for us.’

In a similar vein, another said: ‘Tech resources have been diverted from business improvements to compliance, when a UK company should be focusing on using technology to improve productivity and drive the business forward.’

One respondent took a wider view: ‘Significant change always places a burden on an organisation and external subject matter expertise is often required. GDPR was no different to other significant change projects or regulatory change.’

Some organisations were also less affected. ‘We do not hold much personal data – only that of employees and trustees – and good practice (and use of cloud services) was already in place years before,’ one person said.

Responses expanding on specific problems with GDPR compliance revealed a range of concerns. One person said that, as part of a global organisation, ‘getting face time from all parts of the organisation’ was tough.

Another respondent said: ‘Lack of clarity on some of the rules and requirements was an issue. Some guidance was only finalised in the weeks leading to 25 May, which meant plans for roll-out either had to be delayed or changed.’

Similarly, another person complained of ‘misleading information from ‘‘expert’’ consultants that merely sought to muddy the waters to gain from the new legislation. The Information Commissioner’s Office advice should have been published earlier to dispel myths.’

Some problems related to technology: ‘The key issues have related to technical measures – privacy by design and default – especially with respect to legacy systems that are not inherently designed to cope with the information protection, retrieval and deletion requirements of the GDPR.’

Other concerns were more banal. ‘Frustratingly, the biggest hurdle that our partnership has faced has been trying to get certain employees to adhere to clear desk policies and correct storage of personal data,’ one person said.

Another person noted ‘some fears to overcome with staff who wanted to step away and not do anything with personal data, as [they] were too scared of doing it wrong. So staff training and awareness was a massive element of the project.’

On long-term operational impact, there were various responses. ‘[There will be] little impact on the day to day, but more frequent reviews of compliance with our own policies will take place,’ one person said.

Another person said the operational impact will be ‘very little. It will potentially slow down the transfer of data as people stop and think even more than usual about how personal data is to be handled.’

Conducted in association with The Core Partnership

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.