A significant number of EU businesses are sleepwalking towards massive penalties due to a lack of awareness of the scale of the General Data Protection Regulation (GDPR) data collection challenge. This is a central finding of a major report released today by Senzing, the California-based software technology company.
The research – Finding The Missing Link in GDPR Compliance – is based on the views of more than 1000 senior executives from companies in the UK, France, Germany, Spain and Italy. It finds that, on average, a company will get 89 GDPR enquiries per month, for which they will need to search an average of 23 different databases, each taking about 5 minutes. The total time spent simply looking for data per month will be more than 10,300 minutes (172 hours) equating to over 8 hours of searching per working day – or 1 employee dedicated solely to GDPR enquiries.
The issue is even more pronounced for large companies. These expect to get an average 246 GDPR enquiries per month, for which they will need to search an average of 43 different databases, each taking more than 7 minutes. They will spend more than 75,500 minutes per month (1259 hours) which equates to nearly 60 hours of searching per working day – or 7.5 employees dedicated solely to GDPR enquiries every day.
The data collection challenge is exacerbated by a significant proportion of businesses which admit to not being confident about where their relevant data is housed or being able to account for all their databases. More than 1 in 10 (12%) companies say they are not confident that they know where all their data is stored; less than half (47%) are “very confident”. 15% of businesses are not confident that they have accounted for all the different databases containing personal/customer data, with only a third (35%) stating they are “very confident”.
Jeff Jonas, Founder and CEO, Senzing, says: “These findings reveal the true extent of the GDPR compliance challenge. Businesses will be faced with a mountain of data to trawl through – the end result will be a significant time and personnel cost and a great risk of missing records or worse, including the wrong records. Whilst this time requirement is most onerous for large companies, they have greater resources at their disposal. Relative to size, SMEs face a similarly gargantuan task.”
High level of concern over compliance – but the problem is still underestimated by many
Although 44% of companies say they are “concerned” about their ability to be GDPR compliant – rising to 60% in the case of large companies – many businesses are demonstrating a dangerous lack of awareness about GDPR and overconfidence that they will not be affected. Only a third of companies (35%) are aware that the potential financial fines for non-compliance, which in the worst cases can be €20 million or 4% of global annual turnover, are very severe. An alarming 30% say that financial penalties will have no impact at all; 15% say that they “don’t know” about the impact of financial fines.
Smaller businesses appear to have less appreciation for the seriousness of GDPR non-compliance. A greater proportion of large companies than SMEs understand the severity of the impact of the financial fines. 38% of SMEs and 29% of micro businesses recognise that the financial penalties could have a severe impact on them compared to almost half (47%) of large companies.
This divide between the attitudes of large and small businesses is evident in their planning for GDPR. A quarter (27%) of SMEs and half (50%) of micro businesses say their current set up is optimum and they do not need to make any changes to their operations, compared to just 16% of large companies who believe this. On average, 38% of companies do not intend to take any preparatory action. However, 39% plan to overhaul their IT/customer data systems and a further 15% intend to hire data analysts to collect data. Again, larger companies are more proactive; two thirds (64%) will overhaul their IT and a third (33%) will hire analysts.
60% of EU businesses “at risk” or “challenged” by GDPR
Based on responses, Senzing calculates that a quarter (24%) of EU companies are “at risk” in terms of being GDPR compliant. A further 36% are deemed “challenged” by the regulation, with only 40% being classed as “ready”. Taken as a proportion of all businesses operating in the EU, this could translate into tens of billions, if not hundreds of billions, of euros in fines.
