Skip to content
Thomson Reuters
Compliance Risk

Study finds organizations are not ready for GDPR compliance issues

Tiffany Robertson

15 Aug 2017

REUTERS/Yuriko Nakao (JAPAN)

Approximately half way through the two-year implementation period before the General Data Protection Regulation (GDPR) takes effect on May 25, 2018, an NTT Security report took stock of how prepared companies are for compliance. Interviews with 1,350 decision makers in businesses around the world revealed that many know very little about the GDPR and whether or how it will affect them.

The GDPR represents a significant change in the EU’s data privacy regulation. It will apply directly and immediately in all EU states — without the need for implementing national legislation — requiring that organizations be able to justify their reasons for holding or processing every piece of data in their possession. They also must make it clear to subjects what they will be using the data for at the time it is collected and prove they have adequate measures in place to protect it. Furthermore, one of the biggest concerns for organizations is the law’s provision for massive fines for non-compliance.

Find out how Thomson Reuters Compliance Learning can support your business with its GDPR compliance obligations

A view of an online training course in Thomson Reuters Compliance Learning
A view of an online training course in Thomson Reuters Compliance Learning

Organizations not yet fully cognizant of GDPR’s potential impact

Despite the GDPR’s compliance challenges and potential fines, half of European companies surveyed were seemingly unaware of the regulation’s implications. Switzerland has the highest percentage of GDPR-ready companies in Europe (58%), followed by Germany and Austria (both at 53%). Despite the UK’s confirmation that Brexit will have no effect on the government’s plan to implement the GDPR, the UK came in with the lowest awareness level, with only 39% of UK companies identifying the law as a compliance concern. Outside the EU, many mistakenly perceive the GDPR as only — or most likely to be — applicable to EU companies. Awareness levels are lowest in the U.S., where only a quarter of respondents believed the GDPR will affect their organization, followed by Australia (26%), Hong Kong (29%) and Singapore (33%).

Find out how Thomson Reuters Compliance Learning can support your business with its GDPR compliance obligations

Long jurisdictional reach extends to organizations worldwide

With such low levels of awareness being reported, some organizations seemingly fail to realize that the GDPR’s extended jurisdiction represents one of the most drastic changes in Europe’s data privacy regulation. With the goal of protecting all EU citizens from data and privacy breaches, it attaches to any data concerning an individual residing or present in the EU. Thus, if data is connected to an individual in the EU, the GDPR applies — regardless of where such data is processed.

A view of an online training course in Thomson Reuters Compliance Learning
A view of an online training course in Thomson Reuters Compliance Learning

Find out how Thomson Reuters Compliance Learning can support your business with its GDPR compliance obligations

Data subjects gain more control over data

Organizations should not expect GDPR compliance to be simple given the wide range of requirements designed to heighten protection of personal data and privacy. The GDPR grants data subjects significant control over their data, including the right to access, transfer and delete personal data, as well as receive notification within 72 hours of certain data breaches.

A view of an online training course in Thomson Reuters Compliance Learning
A view of an online training course in Thomson Reuters Compliance Learning

Find out how Thomson Reuters Compliance Learning courses  can help support your organization with compliance training

More stringent regulatory requirements for organizations

In addition to these rights, the law imposes considerable obligations on organizations, including the requirement to —

  • Show exactly how and when they obtained consent;
  • Make it as easy to withdraw consent to future use of data ;
  • Appoint a Data Protection Officer, responsible for supervising data privacy and protection within the organization;
  • Identify the scope of data relevant to the GDPR and adopt data protection systems tailored to the organization’s specific data practices and business operations; and
  • Document their compliance measures.
A view of an online training course in Thomson Reuters Compliance Learning
A view of an online training course in Thomson Reuters Compliance Learning

Enormous fines one of GDPR’s defining features

Previously, the biggest risk concerning a data breach was lost revenue and reputational damage. The GDPR goes beyond relying on potential consequences and provides for steep penalties as a deterrent to violations. While lower-level offenses — record-keeping, security, breach notification, and privacy impact assessment obligations — can result in penalties up to the greater of EUR 10 million or 2% of the entity’s global gross revenue, those figures go up to EUR 20 million and 4% for more substantive violations, i.e., legal justification for processing, data subject rights and cross-border data transfers.

Find out how Thomson Reuters Compliance Learning can support your business with its GDPR compliance obligations

Mitigating risk of violations requires preparation and training

The jurisdictional reach and numerous requirements the GDPR presents should have organizations all over the world concerned with compliance. In today’s digital and global economy, the GDPR substantially increases the risk of unwitting regulatory violations – a risk employers can mitigate by training employees on data protection safeguards and relevant legal requirements. Thomson Reuters online Data Privacy and Security training course is an easy and effective way to ensure employees understand data protection and how to detect, prevent and address potential threats.

 

FINRA continues scrutiny of financial industry for improper electronic communications The Risk Report: regulatory intelligence worth listening to Fintech, regtech and the role of compliance: what’s your view? The data analytics solution ready for MiFID II How will your organization cope with the new data requirements brought by new regulations? Key steps to a successful corporate strategy A new approach to managing your model inventory Will MiFID II tremors shake financial markets? FRTB rules: will banks have the data they need? Is your instant messaging ready for MiFID II?