Data Protection Requirements Continue To Elude The Boardroom
Nearly a third of UK company directors recently surveyed by the Institute of Directors (IOD), have not heard of the new General Data Protection Regulation (GDPR). Some four in 10 don't even know if their company will be affected.
The IOD surveyed 900 of its members, and says the results reveal this to be a "worrying number of companies."
How is it that any company director has not heard of GDPR ? If I was asked that question and did not know, the first thing I would do is reach for my iPad and Google it. Here's an informative link to the Information Commissioner's Office (ICO).
GDPR , adopted by the European Parliament in April 2016, requires all businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states. That means that it affects every single business of more than 250 employees that does business in Europe involving processing the personal data of EU residents, even if it has no presence there.
Non-compliance carries steep penalties of up to €20 million or 4% of global annual turnover, whichever is higher. All companies affected must be able to show compliance by May 25, 2018.
As in many surveys involving UK business and technology, the findings are a little odd. On the one hand, two-thirds of businesses who are aware of GDPR were either "very or somewhat confident they fully understand how it will affect the running of their business." (Remember a third of them haven't even heard of GDPR).
On the other hand, half of directors surveyed revealed they had not discussed their own GDPR compliance arrangements with partners or vendors with whom they share data.
A third said they had in-house experts. Despite what seems like a certain level of disarray on this matter, when asked whether they would be fully compliant with the regulations by the deadline, 86% of businesses said they were either "very or somewhat confident of being so."
UK boardrooms have displayed an ostrich-like tendency to ignore the many challenges of rapid technological change, including cyber security. Some of that, at least, involves a reluctance to ask questions and demonstrate lack of knowledge in doing so - but that is where collaboration should kick in. Brexit makes no difference to the requirement to be compliant with GDPR, although it clearly adds to the burdens on business at the moment.
"Company directors are being pulled in so many different directions it is unsurprising that many do not understand the details of GDPR. The regulator has a significant role to play in ensuring that SMEs, as well as larger firms, are fully compliant by May 2018" said Jamie Kerr, Head of External Affairs at the IOD.
To be fair to UK company directors, the lack of preparedness on data protection is a global business issue. The number of data breaches reached a record high in 2016 - 4,149 incidents in 102 countries around the world exposed more than 4.2 billion records, according to cyber security company Risk Based Security.
A Ponemon Institute report on the cost of data breaches revealed in July the country with the highest cost per record and per incident to be the United States.
Another one from Veritas reflects widespread concern around the world on not being compliant in time for the GDPR deadline.
But being in the same boat on data protection as everyone else is unlikely to be a comforting thought - or a helpful comment in a UK boardroom. It's also a stark neglect of corporate governance to be either ignorant of this issue, or to push it to one side.
The IOD is holding a digital strategy summit today, Twitter #IODDigital.