In case you had missed the media commentary, the deluge of “don’t leave us” emails into your inbox or the vendor advertising, GDPR is of course now enforceable.
And yet, as many have reported, the number of businesses that have already taken sufficient steps to ensure ongoing adherence is small. Market research data is already being released, stating the proportion of prepared businesses ranges from 15% to 20%. Given the reports in the months preceding, and the predictions from our experts in our GDPR Interview Series released in March this year, this is roughly the proportion we expected.
The remaining 80% or so of businesses are largely split into three camps:
- Those who have so far made no efforts to comply, largely out of naivety, and probably will not make any changes for quite some time (predominantly made up of the smallest businesses).
- Those who have simply missed the deadline, but whose plans are very much in motion.
- Those who were late to start planning and are still building their strategies.
The majority sit in the second and third groups. Most businesses are aware of GDPR, at least at a basic level, and are aware that they need to make some changes (whether small or fundamental) to their processes to protect data subjects’ data. They have every intention to carry them out, and to treat their customers, partners and employees’ data with respect. But they have been restricted by the complexity of the undertaking, a lack of internal skills, and very often, fundamental misunderstandings of what GDPR actually requires, resulting in over-complication and stretched timelines.
We have noticed this latter point repeatedly over the last few months. And not only have we seen numerous different misunderstandings as to GDPR’s scope, conditions and definitions, but we have also seen the same ones crop up time and again.
These repeated confusions often threaten to derail GDPR strategies and project timelines. To help, we have compiled the 15 misperceptions, oversights and omissions that our Data Privacy Services team have seen most frequently in the last few months of real-life GDPR client engagements. We call this our ‘Tales from the GDPR Frontline’, and some examples are below:
- How dangerous to GDPR it can be to integrate with partners’ systems without full examination of exactly what data is being shared, how it is protected and who it is shared with.
- The underappreciated risks of HR data, especially in its collection of non-employees’ personal data without their knowledge e.g. next of kin
- The fact that there is no such thing as GDPR ‘compliance’, at least not in the sense businesses usually understand the term
- The frequent misunderstanding of professional data and the belief that it does not count as personal data
- Forgetting that intra-company data sharing is not necessarily legitimate
It is our hope that these revelations, and the others within the full document, will help those companies that are still constructing their GDPR strategies. Highlighting the most common pitfalls early enough should allow them to learn from their peers, avoid making the same mistakes in their own planning and keep their GDPR projects on track as a result.
Download the full ‘Tales from the GDPR Frontline’ here.