The GDPR The Clock is Ticking An industry report on GDPR preparedness

Transcription

1 The GDPR The Clock is Ticking An industry report on GDPR preparedness

2 The GDPR: the clock is ticking This report details just how prepared (or otherwise) British businesses are for the new regulations, and which sectors are in the best and worst positions with the GDPR just a short time away. Friday May 25, 2018 is a date that should be written clearly in every company director s diary. That is the date when Regulation (EU) 2016/679 better known as the General Data Protection Regulation, or the GDPR comes into force. We have carried out a survey of more than 460 Senior decisionmakers (SDMs) at British businesses to gauge their state of awareness and readiness for the GDPR. We have summarised the results of this survey, together with the results of the survey of FTSE 350 companies on cyber risks carried out in July 2017 by the Department for Digital, Culture, Media and Sport in this report. Our report details just how prepared (or otherwise) British businesses are for the new regulations and for the threats posed by cyber attacks, and which sectors are in the best and worst positions with the GDPR just a short time away. It cannot be overstated just how far-reaching a change the GDPR will be to the data protection landscape in the UK. It harmonises data protection rules across the European Union, increasing substantially the strictness of data protection compliance regulation in this country, with the prospect of severe penalties for organisations that do not comply. The new regime comes at a time when personal data is becoming increasingly important to businesses. Owning and exploiting customer data is now a key part of! MAY GDPR COMES INTO FORCE a business competitive strength meaning the GDPR really is raising the stakes. This report may serve as a data risk wake-up call for some industries, but the good news is that there is still time remaining to get your business in shape for the GDPR. CB Comply, the new service from Collyer Bristow, can help you move your business, regardless of size or sector, towards full compliance with the GDPR ahead of next May s deadline. CB Comply can be found at Alternatively, our CB Comply team can be contacted at comply@collyerbristow.com. We can also put you in touch with cyber security experts to check the security of your systems and procedures.

3 Our survey shows that a lot of businesses in the UK still have a long way to go to be GDPR-compliant by May, and the clock is ticking. PATRICK WHEELER, Partner and Head of Intellectual Property and Data Protection at Collyer Bristow Our findings: the top line 27 % OF SENIOR DECISION MAKERS 86 % Financial Services is among the very best-performing sectors in this regard 86% of SDMs are aware of the GDPR 65 % The worst-performing sectors include real estate and construction, where only 65% of SDMs are familiar with the GDPR at British businesses are still not familiar with the GDPR: Only 6% of businesses are completely prepared for new data protection rules* 7% of businesses still believe that Brexit will mean that the GDPR will not be implemented into English law 45 % Only 45% of SMEs are aware of the GDPR Senior management have little or no direct involvement with data protection at 57% of businesses polled 20 % of businesses have still taken no steps to prepare for the GDPR 23% of businesses have no data breach contingency plan in place One in ten FTSE 350 companies operate without a response plan for a cyber incident. More than two-thirds of FTSE 350 company boards had received no training to deal with a cyber incident. * 18 % 18% of businesses would be at risk of insolvency if they were hit with the largest penalty possible under the GDPR

4 The five key facts every business needs to know about the GDPR The GDPR applies to all organisations collecting personal data about individuals in the European Union, regardless of where the organisation is based or its size Personal data can be any identifying information about any person, from a name and address to financial details, or even posts on social media Many breaches of data protection must be reported to the relevant authority in the UK s case, the Information Commissioner s Office (ICO) within 72 hours There is no minimum standard of what constitutes a data breach under the GDPR Organisations that commit a serious breach of the GDPR can be liable to fines of up to 20 million or 4% of worldwide turnover, whichever is higher potentially balance sheetthreatening levels COLLECT 72 FINES UP TO 20 MILLION Patrick Wheeler, Partner and Head of Intellectual Property and Data Protection at Collyer Bristow, says: Our survey shows that a lot of businesses in the UK still have a long way to go to be GDPR-compliant by May The sooner they start the process, the better. The good news is that they do still have time to get a clear understanding of where their business currently stands on data protection and what they will need to do to become GDPR-compliant. A business that starts working on this today can be a fully compliant business by next May, or at the very least, well on the way towards compliance. In particular, real estate and construction businesses urgently need to look at GDPR compliance before it s too late in many cases 27 % SENIOR DECISION MAKERS are still not familiar with the GDPR at all they are well behind banks and retailers. Businesses also need to train their staff both to understand data privacy requirements and to spot and avoid cyber risks. How well prepared a business is and how it responds to a data breach or a cyber attack can make the difference between a major and a minor business interruption." The interpretation of personal data under the GDPR is very broad, and it is not only the risk of enormous fines, but also the very serious reputational damage that will result from a data or cyber breach that means that no business can afford to treat its data protection policies and procedures as a low priority.

5 Our research: the GDPR affects you Given the substantial reach of changes to data protection within the GDPR, and the potentially business-critical size of fines the regulator will be allowed to levy under the new regulations, there is still a great deal of concern that many organisations remain underprepared for the GDPR. While data protection and cybercrime risks have a much higher profile than five or ten years ago, there is still a sense that they are primarily a concern for large businesses, and those holding huge databases of information about members of the public, such as retailers, utility companies and public authorities. The GDPR makes data protection an everyday, board-level concern for every business, of every size, in every industry. If your business holds any data about any individual within the EU, whether customer, employee, new business target or any other category, the GDPR and its penalties apply to you. These concerns are why we chose to survey more than 460 senior decision-makers at British businesses, to find out: How prepared they are for May 25th 2018 and the introduction of the GDPR How much they know about the new regulations, including how Brexit affects the GDPR What steps they have taken to ready their businesses How they rate their own data-management practices currently How involved SDMs are with data protection issues How well-prepared they are to respond to a data breach Whether their businesses could afford to pay GDPR penalties Awareness of the GDPR among senior decision-makers Our survey also shows that knowledge of the GDPR is much lower among smaller businesses. On a size basis, awareness of the GDPR among SDMs is: 65 % SENIOR DECISION MAKERS In real estate and construction, only 65% of senior decision-makers are aware of the GDPR 45% at businesses with fewer than 250 employees 86% at businesses with employees 95% at businesses with 501-1,000 employees 70% at businesses with more than 1,000 employees Our findings: awareness of the GDPR As 25 May 2018 draws closer, publicity around the GDPR and its impact on businesses has increased. More businesses have become aware that they need to prepare, and have gained an understanding of their new responsibilities regarding data protection. That said, it is still very worrying indeed for our survey to find that 27% of SDMs still have little or no familiarity with the GDPR at all. These businesses are running the risk of sleepwalking into data breaches with very serious business consequences through simple errors. At a more granular level, there are significant differences between the best and worstperforming sectors when it comes to awareness of the GDPR. Among the bestperforming sectors are Financial Services, where 86% of SDMs are familiar with the regulations. One of the advantages of operating in such a highly-regulated sector

6 is a heightened awareness of issues like the GDPR, and an ability to adapt quickly to far-reaching changes to the regulatory landscape. For other sectors, this is not the case. In real estate and construction, only 65% of SDMs are aware of the GDPR. SDMs in these sectors should understand that the GDPR and the substantial risks that non-compliance gives rise to apply equally to businesses in all sectors, even those that do not traditionally hold large databases of customer information. The interpretation of personal data in the GDPR is as broad as possible. A single name and address of an individual counts. Every business that has employees or deals with customers or suppliers anywhere in the EU is affected. The assumption that data protection is only a concern for bigger businesses may well be a factor here, with SME SDMs perhaps believing that they do not hold the sort of personal data that falls within the scope of the GDPR. To reiterate: all personal data anywhere in the EU falls within the scope of the GDPR. SDMs at the largest businesses may be less aware of the GDPR if they believe that data protection is an issue for the IT or HR department. With the introduction of the GDPR, this is no longer the case. Data protection, cyber security and risk management are now firmly board-level concerns, due to the size of the potential penalties, and the potential damage to business reputation. Our findings: preparation for the GDPR While only 20% of SDMs says that their businesses have taken no steps to prepare for the GDPR, this statistic does not provide the full picture. An additional 19% of SDMs say that they don t know if their businesses have prepared for the introduction of the new regulations. 20 % SENIOR DECISION MAKERS 20% of SDMs say that their businesses have taken no steps to prepare for the GDPR 80 % FINANCIAL SERVICES is once again the stand-out performer, with 80% of businesses already having taken steps to prepare for the introduction of the GDPR In some ways, the second statistic presents an even more worrying scenario. The SDMs that have not prepared for the GDPR are at least aware that there may be a problem to address, or that they genuinely do not hold any personal data however unlikely that now is. The don t know group, by contrast, are completely in the dark. This speaks to a need for higher levels of engagement with data protection responsibilities at the most senior levels, something we will address later in this report. On a sectoral basis, financial services is once again the stand-out performer, with 80% of businesses already having taken steps to prepare for the introduction of the GDPR, followed by retail (67%). At the other end of the table, the industry with the highest percentage of respondents having taken no steps to prepare for the GDPR is real estate and construction (35%). Our findings: paying the penalty With the maximum potential GDPR penalty standing at either 20 million or 4% of global turnover, whichever is higher, a serious data breach now represents a balance sheetthreatening risk. Our research found that if forced to pay a fine of that size, only 27% of SDMs are confident that their businesses would be able to meet it out of existing cash reserves. 28% say they would have to take out a loan to cover the cost, while 18% say that it would put the business at risk of insolvency. Only 6% say that they have insurance against such an event, although, in reality, it is unlikely that insurance would cover such a fine. While the risk of a fine of this magnitude may be small, reputational damage is very likely to result from the publicity that will inevitably

7 come from any serious or high-profile breach. Our findings: senior management involvement with data protection Our research finds that at 57% of businesses, senior management has little or no involvement with data protection. While delegating data protection responsibility further down the organisation was once both common and understandable, the introduction of the GDPR, and the change in the way in which data processors and data controllers will be held accountable, mean that it now must be treated as a board-level issue. Responsibility for dealing with a serious cyber hack or a data breach with a potential fine of up to 20 million or 4% of global turnover cannot rest with relatively junior IT or HR staff, regardless of how well-qualified and well-equipped they are. Our findings: data breach contingency planning In addition to the regulatory requirements of the GDPR, simply having in place a contingency plan for a data breach is now an important step for virtually all businesses to take. Our research found that overall, 23% of businesses have no data breach contingency plan in place. By sector, this rises to 38% in real estate and construction, and a worryingly high 42% in the retail sector. Given the exponential rise of personal data collection in retail, it is surprising to see such a large proportion of businesses unprepared for a data breach. It is increasingly common for customers to be asked for their addresses, mobile telephone number and even date of birth when completing a purchase. Loyalty card schemes have long been a staple of the high street, and online retailers are unable to function without collecting significant amounts of (often) sensitive personal data on their clients. 40 % SENIOR DECISION MAKERS 40% of SDMs believe the security of their data against cyber threats could be improved 66 % 66% of businesses are planning a data risk assessment in 2017 The Retail sector is increasingly being targeted by sophisticated cyber-criminals in the UK and overseas. Data breaches at Debenhams and Sports Direct in the past year show that even well-resourced businesses can fall victim to hacks. Having a robust contingency plan is critical to minimise the fallout from the breach on financial, regulatory and reputational levels. Our findings: current data management With the GDPR just around the corner, it s now time for businesses to assess their current policies for managing the personal information they store. It s critical to remember that the GDPR interprets the term personal information in a very broad manner, with data as basic as a name and a telephone number falling well within the scope of the new regulations. Our research found that 40% of SDMs believe the security of their data against cyber threats could be improved. This, in a sense, is good news they recognise that the issue exists and must be addressed but little time remains for this to happen. Also, recognition without a plan of action is of no practical use. 40% of SDMs say the regularity of data checks in their businesses could be improved, while 40%, again, say the accuracy of the data held is a concern. Our findings: data risk assessments Perhaps the most positive finding in our research is that 66% of businesses are planning a data risk assessment in This is the essential first step that any senior decision-maker must take, both to protect their business from the risk of a data breach, and to approach compliance with the stringent new requirements of the GDPR. While undertaking a data risk assessment

8 is only the start of the process, it gives businesses a firm idea of where their vulnerabilities lie, what data they hold that falls within the scope of the GDPR, how robust current policies and procedures are, and what the next steps are in complying with the new regulations. This allows the business to get a schedule in place to ensure that progress is made, in as smooth a way as possible, as the deadline approaches. There is still time to put the critical processes in place without panic, but a start must be made as soon as possible. The GDPR and Brexit: will the GDPR just fall away? As a European Union regulation, the GDPR will be in force from 25 May 2018 until the United Kingdom exits the EU, which on the current timetable is expected to be no later than the end of March However, the regulations of the GDPR will be retained by the UK if this country adopts domestic legislation containing the same provisions. This is almost certain to take place, in order to protect UK businesses trading with EU member states, and make the UK a whitelisted territory for the transfer and processing of data, for GDPR purposes. There is a Data Protection Bill currently being debated in Parliament which addresses these issues. The picture will become clearer as both the Bill and Brexit negotiations progress. As it stands, there is no reason for any organisation to delay or halt preparations for the GDPR, regardless of Brexit. Our survey shows that there is still plenty of doubt remaining around the effect of Brexit on the GDPR, with only 52% of businesses fully aware that the regulations will be implemented regardless of the UK leaving the EU. While only 7% are incorrectly confident that Brexit will make the GDPR fall away, the remaining 41% seem to have been affected by the general uncertainty around what the Brexit deal will entail. Conclusion: much remains to be done, but there is still time Our survey has painted an intriguing portrait of UK businesses knowledge of, and preparation for, the introduction of the GDPR in May Our key takeaways from the research are: Some well-regulated sectors, such as financial services, are well ahead of the game in preparing for the GDPR Others, including real estate and construction, have a great deal to do in the remaining time before the GDPR begins if they are to avoid falling foul of the new regulations Senior leadership across virtually all sectors needs to take data protection more seriously it is now a board-level issue SMEs need to be aware that the GDPR will affect them just as much as it will affect the largest businesses Undertaking a data risk assessment is the most obvious first step every business should take on the road to GDPR compliance So while the clock is most certainly ticking for businesses on the GDPR, it is not quite midnight yet. There is still time remaining for businesses to be either fully compliant or well on the way towards compliance with the GDPR on its start date, and reduce the risk of business-critical consequences. Our experts in the CB Comply team can guide a business of any size or sector through the journey towards compliance with the GDPR, starting with the data risk assessments that form a crucial first step, and continuing through policies, procedures and training. Further information can be found at Alternatively, our CB Comply team can be contacted at comply@collyerbristow.com or on +44 (0) *Data from HM Government, FTSE 350 Cyber Governance Health Check Report Collyer Bristow LLP is a limited liability partnership registered in England under number OC318532, registered office 4 Bedford Row, London WC1R 4TF, and is regulated by the Solicitors Regulation Authority under number Any reference to a partner means a member of the LLP or an employee with equivalent standing and qualifications. A list of the members is available for inspection at the above address. Collyer Bristow LLP is Lexcel accredited. Disclaimer: The content of this report is provided for general information only and does not constitute legal or other professional advice. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information contained in this newsletter. Copyright 2017 Collyer Bristow LLP.