The answer may hinge on if you’re a
glass-half-full or glass-half-empty kind of person. While we’re at it, how
about regulators’ level of preparedness, anyway?
With the enforcement of the General Data
Protection Regulation (GDPR) just two weeks away on May 25 , organizations in the
United Kingdom are further ahead in their preparations to comply with the law’s
requirements than their peers elsewhere in the European Union and in the United
States, a new survey by professional IT network Spiceworks reveals.
A total of 61 percent of UK-based firms said
that they are or will be fully compliant with GDPR by the deadline. For the rest of the
European Union, the ratio goes down to 46 percent. Meanwhile, only one in four
US-based companies that are impacted by the new legislation will be ready in
time.
What’s the reason for non-compliance? That
depends on whom you ask. In Europe, more than 60 percent of the respondents
that will not be compliant blamed a lack of time or resources. Across the pond,
the most frequent reason – for 40 percent of respondents – was simply that GDPR
was not a priority for their organization.
The survey polled 625 IT professionals in
organizations in the United Kingdom, the rest of the EU, and in the United
States in early April.
Over to you, regulators
A not-too-dissimilar picture is actually
painted when it comes to those that are supposed to oversee the implementation
and enforcement of greater privacy protections.
A Reuters survey has found that 17 out of 24 national or regional
watchdog authorities or data protection officers in the EU that responded to
the survey are ill-prepared to fulfill their GDPR-related duties when the law
takes effect.
More precisely, the regulators said that they
lack the necessary funding or powers to fulfill their GDPR duties. The shortage
of authority is often because national governments have yet to update their
laws to incorporate the Europe-wide rules. With that in mind, most respondents
said that they would investigate complaints “on merit”.
In a nutshell, GDPR is intended to give power
back to EU citizens over how their personal information is processed and used,
including giving them “the right to be forgotten”. This means that individuals
will be able to request that businesses delete their no longer necessary or
accurate personal data. In addition, the law’s serious implications include
data breach notification requirements and fines for non-compliance.
Further reading
We have previously covered the topic of GDPR
extensively (including in a dedicated white paper) and will continue to do so as we get closer to
the May 25 deadline.