Almost all organizations (98%) see challenges in complying with the General Data Protection Regulation (GDPR). The biggest challenge is to know when enough has been done to comply. Organizations are looking for clearer guidelines on this.Â
GDPR, the new European regulation on data protection, really should be on the agenda in every boardroom. At the very least, boards should have heard about it, because it is due to start in May 2018. Research shows that a lot of organizations are discussing GDPR, and struggling with key elements. For instance, what adjustments in data governance are needed to comply? Should a Data Protection Officer be appointed? What opportunities arise from this new regulation? To better understand the current status of companies, SAS investigated the state of GDPR preparedness in organizations, and the biggest perceived challenges and opportunities.
We found that almost half of the organizations studied had no structured process in place for becoming GDPR-compliant. There was a significant difference between small companies, where more than half (56 percent) had no structured process in place, and large and very large organizations, where only 44 percent and 21 percent had no structured process. Of those with a structured process in place, 79 percent reported that they had started the process and 66 percent of that group believed they would be compliant by May 2018.
The research also shows that 58 percent of the organizations studied had problems with managing data portability and the so-called ‘right to be forgotten’. Almost half said that it was a challenge to find personal data within their own databases (copied datasets, CRM-data). The GDPR gives every EU citizen the right to know and decide how their personal data is being used, stored, protected, transferred and deleted. Individuals have the right to restrict further processing and to request that all their data be erased. Most companies are struggling with the tools and processes, but many are also finding it hard to interpret GDPR on data portability. Take, for example, a telecom user who has to be able to migrate all personal information, including contact details and photos, to another telecom provider if a consumer demands this. The original provider is obliged to deliver the data in a portable form.
