Majority of organisations expect a GDPR audit in the next 18 months

6 Dec 2017

Image: chase4concept/Shutterstock

Less than six months to go until the arrival of GDPR. Are you ready?

With the onset of the EU’s General Data Protection Regulation (GDPR) in May 2018, businesses expect the next 18 months to be a time of significant upheaval.

A nationwide survey into preparedness for GDPR by Amárach Research, on behalf of data compliance software firm Wizuda, found that although only 37pc of companies have previously been subject to a data protection audit, 55pc think they will be subject to one in the coming 18 months.

On 25 May 2018, all European businesses and organisations that handle customer data will have to comply with GDPR. GDPR is an overhaul of European data protection laws and could impact every business, individual and member of public-sector organisation across Europe.

For organisations, it will mean establishing clear procedures around consent and having a legal basis for gathering data, especially in the digital world.

Some organisations – especially those in the public sector – will have to appoint data protection officers.

Failure to comply could lead to fines of up to €20m, or 4pc of turnover.

A third of organisations have not even started preparing for GDPR

Wizuda commissioned Amárach Research to conduct the national research project across 175 organisations, investigating GDPR awareness, prioritisation and obligations. This study focused on SMEs and targeted IT decision-makers such as IT directors and heads, CIOs, and CISOs.

The survey showed that 69pc of Irish SMEs consider themselves to be data processors. Under GDPR rules, all data processors must now make available all information necessary to demonstrate compliance and allow audits to be conducted by the data controller.

With the recent 56pc budget increase given to the Office of the Data Protection Commissioner (ODPC), along with the prescriptive obligations that data controllers must now place on data processors under GDPR, only 19pc of Irish SMEs believe that they won’t be subject to a data protection audit in the next 18 months.

With less than six months before the GDPR comes into full effect, the survey found that more than a third of Irish organisations have not yet started work on their GDPR compliance project, with just over a quarter (26pc) indicating that other projects were a priority.

Wizuda’s research also revealed that, despite awareness of data privacy demands, 57pc of organisations still use email to send personal data.

This, Wizuda managing director Danielle Cussen warns, greatly exposes organisations to a potential data breach or data audit failure. Added to this, two in five organisations are using old in-house scripts to transfer data, making it difficult to demonstrate compliance when requested in an audit.

“Whilst it is worrying that less than two-thirds of Irish SMEs have actually started their own project, it is good to see that 80pc of those surveyed see IT as a major stakeholder in their GDPR-compliance programme,” said Cussen.

“Both the OPDC and data controllers will be looking to ensure that all data processors are GDPR-compliant, so we would expect the number of Irish companies planning for a data protection audit continuing to increase in the run-up to May 2018.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years