The Government’s recent data protection consultation is designed to ensure the principles outlined in GDPR are clearer. As the report rightly says “data is now one of the most important resources in the world” and therefore understanding and complying with the legislation is critical. Yet, despite this, research shows organisations of all sizes and sectors still haven’t quite got to grips with it.
Integreon’s Regulatory Readiness Report 2021 reveals UK corporates rank GDPR as the most important regulatory event, trumping the LIBOR transition, Brexit and the pandemic, which were ranked as the next three most important events.
Preparing for and managing regulatory change is a challenge in normal times, but the coronavirus has added an extra layer of complexity as many regulatory compliance teams have been forced to both adapt to working from home themselves, and deal with everyone else in the organisation also working from home.
This has resulted in huge numbers of GDPR issues around data sharing and security. Not to mention the rise in marketing communications as organisations tried to remain in touch with their customers during periods of lockdown.
The report reveals two key reasons as to why GDPR continues to be a main focus. The first is the significant increase in the number and intensity of cyberattacks, in particular the use of ransomware; attacks of this nature have soared by 93% in 2021.
And the second is business as usual GDPR issues, such as data transfers and dealing with customer data. There are a number of horror stories doing the rounds, including printed lists of customers being left out on the makeshift desk in the kitchen, or unsecured emails being circulated to whole teams sharing the personal information of hundreds, if not thousands, of customers.
As a result of these two issues, the number of corporations that believe they are fully compliant stands at 69%, leaving close to a third of companies non-compliant. And this figure is likely to increase as only 30% of large businesses believe they have the resources and budget to adequately maintain compliance. This has fallen by 5% since 2020.
Strikingly, a fifth of corporate respondents completely disagreed they have sufficient budget and resources – a significant change from 2020 when zero respondents felt the same way. A concerning trend.
But how about SMEs, how are they faring? According to a study by REaD Group, awareness of the GDPR is high among SMEs (85%) and the majority are aware of their responsibilities to their customer data; namely that under GDPR it must be kept clean and accurate or be deleted (89%).
Yet, irrespective of this knowledge a quarter of SMEs admit they do not clean their customer data, despite it being a clear requirement of GDPR. In fact, Article 5, which pertains to the principles relating to the processing of personal data, is one of the most enforced non-compliance situations by the UK Information Commissioner’s Office. At the end of last month, for instance, HIV Scotland was fined for failing to adhere to this article.
Charities, like HIV Scotland, often fall foul of GDPR. However, a review of the fines enforced by the ICO this year show that finance companies are far and away the least compliant, racking up a total of 11 fines so far in 2021. Retail is the next most fined sector, receiving seven penalties, and technology and marketing companies come in third, receiving six fines each.
Interestingly, according to the data, the public sector did not receive a single fine last year. This is perhaps a little surprising since recently we sent out a Freedom of Information request to all UK councils to ask if they regularly cleaned the data they hold. Only 12% of councils believe that they are GDPR compliant, while a further 12% admitted to doing no data management at all.
Consequently, it is likely that for savvy businesses data management and hygiene will be high on the agenda for 2022.