Companies’ GDPR readiness not at the level where it should be

A survey, conducted by Privacy Laws & Business, reveals that less than a half of the respondents have created a breach notification procedure even though breach notification to regulators will be mandatory from next May under the EU Data Protection Regulation (GDPR).

A cornerstone of the GDPR, accountability, requires staff training, but only half of the respondents have so far created a training programme.

However, around 64% of the respondents already have a Data Protection Officer, and another 9% were going to appoint one before the GDPR enters into force on 25 May 2018. Half of the respondents were currently conducting a data protection audit, and by a large majority, this work was being done in-house. But worryingly, a quarter of the respondents said that they have reviewed less than 25%, or none of their data protection policies to make sure that they comply with the GDPR.

The overwhelming majority, 82 % had already established the purposes for which they process personal data. But only 14 % had reviewed their supplier contracts from a data protection perspective. Most organisations had not yet reviewed their methods of obtaining consent from individuals, or were still working on it.

The survey, which was sent to nearly 6,000 PL&B clients and prospects, sought organisations’ views on their GDPR readiness. The 251 respondents were mostly but not exclusively from the UK, and the survey ran between 31 May and 23 June.

Summary of the survey results

The results were announced today at PL&B 30th Annual International Conference in Cambridge. The conference has several sessions on GDPR compliance, and a progress report on GDPR implementation. 50+ speakers from 15 countries include DPAs, companies, law firms, and academics.

A more detailed analysis of the survey results will be available in PL&B UK Report.