Three and half years ago data legislation in Europe changed with the introduction of General Data Protection Regulation (GDPR). The Data Protection Act 2018 became the UK’s implementation of GDPR and despite our subsequent exit from the EU, GDPR and what it stands for is not going anywhere. In fact, the government recently published a paper: Data: a new direction (click here); outlining potential reforms to ensure that the principles outlined in GDPR are clearer. As the report rightly says ‘data is now one of the most important resources in the world’ and therefore understanding and complying with the legislation is critical, yet despite this research shows that organisations of all sizes and sectors still haven’t quite got to grips with it.
Corporate compliance: 30 per cent do not believe they adhere to GDPR
Integreon’s annual Regulatory Readiness Report 2021 reveals that UK corporates rank GDPR as the most important regulatory event, trumping the LIBOR transition, Brexit and the pandemic, which were ranked as the next three most important events.
Preparing for and managing regulatory change is a challenge in normal times, but the coronavirus has added an extra layer of complexity as many regulatory compliance teams have been forced to both adapt to working from home themselves, and deal with everyone else in the organisation also working from home. This has resulted in huge numbers of GDPR issues around data sharing and security. Not to mention the rise in marketing communications as organisations tried to remain in touch with their customers during periods of lockdown.
The report reveals two key reasons as to why GDPR continues to be a main focus. The first is the significant increase in the number and intensity of cyberattacks, in particular the use of ransomware. Attacks of this nature have soared by 93 per cent in 2021.
And the second is business as usual GDPR issues such as data transfers and dealing with customer data. There are a number of horror stories doing the including printed lists of customers being left out on the makeshift desk in the kitchen, or unsecured emails being circulated to whole teams sharing the personal information of hundreds, if not thousands, of customers.
As a result of these two issues, the number of corporations that believe they are fully compliant stands at 69 per cent, leaving close to a third of companies non-compliant. And this figure is likely to increase as only 30 per cent of large businesses believe that they have the resources and budget to adequately maintain compliance. This has fallen by five per cent since 2020. Strikingly, a fifth of corporate respondents completely disagreed they have sufficient budget and resources—a significant change from 2020 when zero respondents felt the same way. A concerning trend.
SME Compliance: 25 per cent do not clean their customer data
But how about SMEs, how are they faring? According to a study by REaD Group awareness of the GDPR is high amongst SMEs (85 percent) and the majority are aware of their responsibilities to their customer data; namely that under GDPR it must be kept clean and accurate or be deleted (89 percent).
Yet, irrespective of this knowledge 25 per cent of SMEs admit they do not clean their customer data, despite it being a clear requirement of GDPR. In fact, Article 5 which pertains to the principles relating to the processing of personal data is one of the most enforced non-compliance situations by the ICO. At the end of last month, for instance, HIV Scotland was fined for failing to adhere to this Article.
Finance: the least compliant sector
Charities, like HIV Scotland, often fall foul of GDPR. However, a review of the fines enforced by the ICO this year show that finance companies are far and away the least compliant, racking up a total of 11 fines so far in 2021. Retail is the next most fined sector receiving seven fines and technology and marketing companies come in third receiving six fines each.
Public sector compliance: work to be done
Interestingly, according to the data, the public sector has not received any fines this year. This is perhaps a little surprising since recently we sent out a Freedom of Information request to all UK Councils to ask if they regularly cleaned the data they hold. Only 12 per cent of councils believe that they are GDPR compliant, whilst a further 12 per cent admitted to doing no data management at all.
Twenty per cent of the respondents to our study provided a vague affirmative that they had a process to keep records clean but did not specify what these were or how regularly the data was updated. Whilst 28 per cent admitted that they only updated their data when informed by a constituent that they had moved house or that a family member had passed away.
Focus for 2022: A clear need to get to grips with GDPR compliance
What this shows us is that GDPR remains an issue for every UK organisation irrespective of whether they are large or small, whether they are B2B or B2C or if they are private or public sector. And as we move into 2022 the onus on GDPR is likely to grow due to the appointment of a new ICO; John Edwards, who was formerly the privacy commissioner in New Zealand and a notorious stickler for consumer privacy. He will take up the reins either in December or early next year.
Consequently, it is likely that for savvy businesses data management and hygiene will be high on the agenda for 2022.
The Software Bureau develops and deploys market-leading software that places the power of data management for direct marketing into the hands of its clients. It has recently launched Clean Contacts, a data hygiene product for customers of Microsoft Dynamics 365.