30% of European businesses still not GDPR compliant
A year on from the launch of the infamous GDPR directive, a third of Europe’s businesses are still not compliant with the rules. According to a new study, a similar number of businesses said they have found the GDPR improves their operations, while 28% said the regulations make it more difficult to trade with firms outside Europe.
The GDPR is the most fundamental change in data protection legislation for the past 20 years and is the first attempt to create comprehensive and enforceable laws. The legislation will affect all domestic and international businesses operating in the EU – regardless of size – threatening those who fail to comply with hefty fines of up to €20 million or 4% of global revenues, depending on which one is larger.
When the GDPR’s implementation was reached in early Summer 2018, companies in the UK were still scrambling to comply with the European law. As some confusion remains around key concepts such as ‘consent’ for many top companies, this has seen FTSE 350 spending on the matter breach $1 billion.
Now, a new study from auditing and advisory firm RSM has found that despite that spending spree, a huge portion of companies across the continent are not compliant with GDPR rules. According to a survey of European middle market businesses with a turnover of less than €100 million across 34 countries, 30% of European businesses admit they are still not compliant with GDPR. Despite it being over a year since GDPR came into effect, and despite a growing amount of fines from regulators, only 57% of businesses are confident that their business follows the rules, with a further 13% unsure either way.
RSM found that the compliance gap is not down to any single issue, with middle market businesses struggling to understand and implement a whole range of areas covered by the regulation. 38% of non-compliant businesses do not understand when consent is required to hold and process data, while 35% are unsure how they should monitor their employees’ use of personal data, and 34% don’t understand what procedures are required to ensure third party supplier contracts are compliant.
Steven Snaith, Technology Risk Assurance Partner at RSM UK, commented, “With so much pressure on organisations to meet complex requirements, we saw GDPR fatigue setting in last year. Middle market businesses were overwhelmed by information from the press, industry bodies and stakeholders. Many organisations simply gave up and reverted back to the old way of doing things. But there are signs that this fatigue is about to fade. High-profile fines across Europe have demonstrated that regulators across the EU are serious about enforcement. Businesses are scrambling to catch up once again.”
Cyber impact?
Despite the lack of compliance, GDPR is starting to have a positive impact on cyber security within the EU. Almost three quarters of European businesses say GDPR has encouraged them to improve the way they manage customer data and 62% say it has seen them increase their investment in cyber security. There remains much more to do, however, with 21% of businesses admitting that they still have no cyber security strategy in place.
At the same time, just under a third of firms said they had been negatively impacted by GDPR in terms of global trade. 28% said that the rules had made it more difficult for them to trade with firms beyond the EU. With such a major overhaul of privacy laws carrying such massive financial implications, many mid-market firms outside the EU have become hesitant when it comes to forging relationships in Europe.