A significant number of EU businesses are sleepwalking towards massive penalties due to a lack of awareness of the scale of the General Data Protection Regulation (GDPR) data collection challenge. This is a central finding of a major report released today by Senzing.
The research – Finding The Missing Link in GDPR Compliance – is based on the views of more than 1000 senior executives from companies in the UK, France, Germany, Spain and Italy. It finds that, on average, a company will get 89 GDPR enquiries per month, for which they will need to search an average of 23 different databases, each taking about five minutes.
The total time spent simply looking for data per month will be more than 10,300 minutes (172 hours) equating to over eight hours of searching per working day – or one employee dedicated solely to GDPR enquiries.
The issue is even more pronounced for large companies. These expect to get an average 246 GDPR enquiries per month, for which they will need to search an average of 43 different databases, each taking more than seven minutes.
They will spend more than 75,500 minutes per month (1259 hours) which equates to nearly 60 hours of searching per working day – or 7.5 employees dedicated solely to GDPR enquiries every day.
The data collection challenge is exacerbated by a significant proportion of businesses which admit to not being confident about where their relevant data is housed or being able to account for all their databases. More than one in ten (12 per cent) companies say they are not confident that they know where all their data is stored; less than half (47 per cent) are ‘very confident’.
Fifteen per cent of businesses are not confident that they have accounted for all the different databases containing personal/customer data, with only a third (35 per cent) stating they are ‘very confident’.
Jeff Jonas, founder and CEO, Senzing, says, ‘These findings reveal the true extent of the GDPR compliance challenge. Businesses will be faced with a mountain of data to trawl through – the end result will be a significant time and personnel cost and a great risk of missing records or worse, including the wrong records.
‘Whilst this time requirement is most onerous for large companies, they have greater resources at their disposal. Relative to size, SMEs face a similarly gargantuan task.’
High level of concern over compliance – but the problem is still underestimated by many
Although 44 per cent of companies say they are ‘concerned’ about their ability to be GDPR compliant – rising to 60 per cent in the case of large companies – many businesses are demonstrating a dangerous lack of awareness about GDPR and overconfidence that they will not be affected.
Only a third of companies (35 per cent) are aware that the potential financial fines for non-compliance, which in the worst cases can be €20 million or 4 per cent of global annual turnover, are very severe. An alarming 30 per cent say that financial penalties will have no impact at all; 15 per cent say that they ‘don’t know’ about the impact of financial fines.
Smaller businesses appear to have less appreciation for the seriousness of GDPR non-compliance. A greater proportion of large companies than SMEs understand the severity of the impact of the financial fines. Thirty-eight per cent of SMEs and 29 per cent of micro businesses recognise that the financial penalties could have a severe impact on them compared to almost half (47 per cent) of large companies.
This divide between the attitudes of large and small businesses is evident in their planning for GDPR. A quarter (27 per cent) of SMEs and half (50 per cent) of micro businesses say their current set up is optimum and they do not need to make any changes to their operations, compared to just 16 per cent of large companies who believe this.
On average, 38 per cent of companies do not intend to take any preparatory action. However, 39 per cent plan to overhaul their IT/customer data systems and a further 15 per cent intend to hire data analysts to collect data. Again, larger companies are more proactive; two thirds (64 per cent) will overhaul their IT and a third (33 per cent) will hire analysts.
Jonas comments, ‘Many businesses appear to be sleepwalking towards a GDPR abyss. The fines that can be levied for non-compliance will be potentially terminal to some organisations and even the largest companies – and certainly their shareholders – will feel a significant impact. A huge number of companies simply don’t understand the dangers of non-compliance – with smaller firms apparently particularly unaware.
‘The fact there is such a distinction in the level of confidence between large and small companies in their existing data collection set up is disturbing. It suggests strongly to us that SMEs and micro businesses are seriously underestimating the impact that GDPR will have on their systems and are demonstrating misplaced optimism.’
60 per cent of EU businesses ‘at risk’ or ‘challenged’ by GDPR
Based on responses, Senzing calculates that a quarter (24 per cent) of EU companies are ‘at risk’ in terms of being GDPR compliant. A further 36 per cent are deemed ‘challenged’ by the regulation, with only 40 per cent being classed as ‘ready’. Taken as a proportion of all businesses operating in the EU, this could translate into tens of billions, if not hundreds of billions, of euros in fines.
Jonas adds, ‘You can’t search what you can’t find. Finding out who is who and where their data is should be the first principle of GDPR compliance. Our worry is that, in investing in systems, processes and personnel, many companies are attempting to reach bases two, three and four without first getting to first base.
‘These findings point towards the fact that the missing link in GDPR compliance is single subject search. Companies are overlooking the urgent need to be able to perform a single smart subject search to find out who is who in their data. Without this, the critical enabler of GDPR readiness, many businesses will be unable to meet the demands of GDPR.’