Privacy continues to be an emotive issue and with the General Data Protection Regulation (GDPR) just around the corner, we have been examining some of the broader implications for companies that store personal data of European customers and/or employees.
In a recent study on the status of the implementation of the new EU Data Protection Code (GDPR), Dell found that more than 80 percent of global respondents knew little or nothing about GDPR. Fewer than one in three companies felt they were currently prepared for GDPR. A massive 97 percent did not have a plan to prepare for it and only nine percent of IT and business professionals are confident they will be fully ready. Those are worrying statistics.
I have had the opportunity to find out more about GDPR preparedness for myself. I have been one of almost 160 participants in SAS events in DACH on this issue, under the heading "This could get expensive". It was clear that the Dell study reflects the DACH market.
Three facts in particular surprised me
Large companies are still looking for information
Most companies, including some of the largest ones, are still in the reconnaissance and analysis phase. The extent of projects to be implemented is not yet clear. Only a few companies already have implementation plans. The lecture by Arnd Böken, lawyer with GW Graf von Westfalen and an expert member of the Bitkom work group on data protection, started a lively discussion. It was clear that many of the core issues for GDPR, such as accountability, increased penalties, or the information rights of citizens, have not yet been fully understood. This is particularly true for their impact on data management and other processes. Mr. Böken was still being asked far-reaching questions by participants long after the end of his session.
GDPR is not being seen strategically
Many of the participating companies are currently engaged in digitization strategies. Since digitization is very much a matter of using and monetarizing increasing amounts of data, much of it personal, I was very surprised that no company is seeing the data protection agenda as an opportunity to achieve competitive advantage. I think this has great potential: if my customers trust me to handle their data, they are more likely to let me use more of it, especially if they see that giving them a benefit.
GDPR is not yet a board-level issue
To my surprise, many participants felt that GDPR was not yet a board priority; indeed, many boards have not yet taken any interest in it. The connection between GDPR and digitization issues such as Big Data Analytics or even regulatory projects such as BCBS239 or IFRS9 has not (yet) been realized or addressed.
My impression of the events is reflected by these few quotations
It should be clear from these quotations that without urgent action, GDPR is going to become a serious problem for perhaps the majority of companies. This could indeed get quite expensive.