The General Data Protection Regulation (GDPR) will come into force on 25 May 2018, and the British government has confirmed it will adopt the legislation while the country remains in the EU.
With less than 18 months to go until implementation, many of them remain entirely unprepared. More than half (54 percent) of organisations have failed to commence any kind of preparation to meet even the minimum standards of GDPR, according to recent research by information management company Veritas.
The regulation enforces complex data obligations for companies that current policy is unlikely to satisfy, and damaging fines for breaches.
What is the GDPR?
The GDPR was adopted by the European Parliament in April 2016 following four painstaking years of deliberation. The provisions reinforce data protection in line with contemporary concerns about personal information, and apply to both EU member states and organisations outside the union when processing the data of citizens within it.
Regulations have been harmonised to ease compliance, with one set of laws applying across all 28 member states. The clarity comes with severe penalties for violations. Breaches could result in a fine of up to 20 million (£17 million) or four percent of worldwide revenue, whichever is higher.
The sweeping legislation presents a range of compliance and operational challenges for British businesses, requiring thorough planning and additional resources.
GDPR explained: Company fears
Almost 40 percent of businesses are fearful of a major compliance failing, while just under one third (31 percent) are worried about reputational damage from poor data policies, according to the Veritas survey of more than 2,500 senior technology decision makers.
Collective responsibility is essential to prevent such fears being realised. The GDPR requires privacy protection by design and by default, which needs a comprehensive compliance programmes supported throughout the organisation, according to a report by software company Avepoint and privacy think tank the Centre for Information Policy Leadership (CIPL).
It recommends embedding data security requirements throughout the organisation at every stage of each business processes, from planning to release.
GDPR explained: Business-wide commitment
Confusion reigns over who bears responsibility for the regulation. Almost one third, (32 percent) of respondents believe the chief information officer is responsible, versus 21 percent for the chief information security officer, 14 percent for the chief executive officer and 10 percent for the chief data officer.
According to the Avepoint and CIPL report, they all are.
"GDPR and data privacy compliance are closely related to a company's data strategy, big data and analytics, and data-driven innovation," it states.
"It also supports the fact that data is critical to many business processes, products, and services. This is why GDPR implementation must be a concerted effort across the organisation, with the DPO working hand-in-hand with Chief Data Officer (CDO), Chief Information Officer (CIO), Chief Information Security Officer (CISO) and other senior leadership."
Sign up for CIO Asia eNewsletters.