Many companies fail to meet GDPR compliance in time
As the General Data Protection Regulation (GDPR) comes into force tomorrow, research continues to suggest that many companies are not compliant with the new rules, with some insurers also struggling to shape up. Ferma has taken the opportunity to remind members that the risk is an enterprise-wide, strategic issue that demands board involvement and strong governance.
The seemingly endless build up is over. Tomorrow, 25 May, the GDPR becomes law across the EU. It ushers in fines of €20m or 4% of annual turnover, whichever is highest. But it also brings huge reputational risk, potential business interruption and demands huge compliance efforts from business.
While many companies are on the road to complying with the new regime, experts and surveys continue to suggest huge numbers of businesses are still not ready.
The latest poll by QBE Business Insurance shows that only slightly more than one quarter (27.6%) of UK businesses feel they are completely compliant with the GDPR.
Of the 500 UK businesses questioned, only 29.2% said they had a thorough understanding of the new regulation, despite one in four (28.6%) saying that personal data is critical to their business model.
Erica Constance, cyber portfolio manager at QBE Business Insurance, said: “Despite a lot of noise around the introduction of the GDPR, it is clear from this research that the new regulation could catch a lot of businesses by surprise. With only 27.6% of respondents confident enough to say that they are fully compliant with the legislation, only a few days away from its introduction, it is apparent that the GDPR is causing severe headaches for many organisations.”
And the situation appears little better across Europe. Cross-sector research published by NetApp in April, found that 64% of EMEA-based businesses had concerns over their ability to meet the GDPR deadline. This follows numerous surveys from brokers and insurers suggesting a similar story.
According to Raef Meeuwiise, audit expert and author of Cybersecurity for Beginners, most organisations have still not fully met GDPR requirements.
“Most people will have witnessed a recent flurry of emails from companies keen to show they are on the path to GDPR compliance by updating their opt-in consent and privacy terms and conditions. If you ask the question, ‘Are you complying with GDPR?’, to an organisation, it is doubtful that any would openly state they are not well on the path to full compliance to a regulation carrying such large financial penalties,” he said.
“However, in reality, almost all organisations still have a lot of activities to complete before they fully meet all of the enhanced requirements of the new legislation. Organisations are becoming ready as fast as they can. However, for any enterprise of size, full compliance with the GDPR is not something that can be achieved by a small project team,” he told Commercial Risk Europe.
Mr Meeuwiise said GDPR compliance usually requires organisations to substantially “re-engineer” how they process and manage personal information.
He said most organisations lack efficient ways to meet GDPR compliance obligations. “For example, unless an organisation has fully synchronised identity and access management for their customers as well as their staff, meeting the requirements of the regulation can require quite labour-intensive efforts to review what information is held and then apply the necessary improvements,” he explained.
At an event attended by Mr Meeuwiise earlier this year, he and other experts warned that organisations are struggling to put in place policies and procedures to meet GDPR requirements, with governance, risk and compliance efforts often grinding to a halt at internal network perimeters. They also stressed that regulators have the power to stop data processing and cause business interruption under the forthcoming rules, while noting that many contracts with cloud service providers are unlikely to be fit for purpose when the regulation comes into force.
Raf Sanchez, Beazley International breach response service manager, said this week that time is running out for companies to get their house in order for the GDPR. Organisations that are not prepared for the new regulations, or are found to be flouting the new rules, should prepare for a substantial fine, he warned.
Mr Sanchez also said that cyber insurance can play an important role in mitigating GDPR risk, but only if it sits alongside a robust data privacy compliance programme, internal risk management planning, software tools and board-level involvement.
Ferma this week moved to remind members that the GDPR is an enterprise-wide issue that requires board involvement and adequate governance.
“We do not yet know how member states will begin enforcement of GDPR, but the consequences of non-compliance are potentially very serious. GDPR goes to the heart of the way that many large companies operate today, and could affect opportunities they would like to gain from data. Data is one of the largest assets a company holds, so these are truly enterprise issues that affect strategic aspects of the board’s mandate, including valuation, reputation and trust. The management of digital risks is a corporate issue that should be reflected in the governance of the company,” said Jo Willaert, Ferma president.
Other experts have this week focused on the readiness of insurance companies for the GDPR. Law firm Clyde & Co said many will not be ready in time.
“We continue to predict that large parts of the insurance industry will not be fully prepared for the new regulation, with many firms yet to grapple with all the issues surrounding compliance with the new rules. Insurers that are not ready should be concerned, as the penalties for non-compliance are significant,” said Mark Williamson, partner at the firm.
Adding: “Key to compliance is having a thorough understanding of your core business – getting a helicopter view of how the company collects, stores and uses personal data, and then comparing and adhering to the requirements imposed by the GDPR. Time is running out…and ignorance of the law will be no defence.”
A briefing note by AM Best suggests that insurers themselves are more confident than their customers about meeting GDPR requirements. AM Best asked rated entities to self-assess their level of preparedness for the GDPR last month. With an average score of 7.7 on a scale from one to ten, the result suggests the market is largely confident, said AM Best. In addition, confidence has slightly improved on the 7.0 score reported in AM Best’s previous assessment last June.
“AM Best has been closely monitoring the process of alignment to GDPR among its rated companies as part of their ERM assessment, with a particular focus on associated operational, regulatory and reputational risks. The GDPR provides an opportunity for companies to take a closer look at their own policies and procedures that relate to data use and management.
“GDPR preparation has helped some insurers and reinsurers to strengthen or refresh their risk mitigation capabilities, leading to the introduction of new safeguards to manage the risk of non-compliance, including basic technical measures like data encryption,” said the ratings agency’s senior financial analyst Alvise Argenton.