Introduction
The General Data Protection Regulations represents the most significant Data Protection reform in nearly 20 years, and we were interested in how organisations were preparing for such a significant change.
We invited our existing customers, visitors to our website and mailing list subscribers to complete a survey so that we could assess some key aspects of GDPR.
Admittedly, this is still a relatively small sample size, but it still provides some direction as to the concepts and requirements which organisations may find hardest to address.
Results:
Snapshot: 31/05/17
Have you conducted a Privacy Impact Assessment / Data Protection Impact Assessment?
YES = 11%
NO = 89%
Unsurprisingly, the vast majority of respondents have not completed a PIA/DPIA. This ICO guidance on this was compiled some time ago.
ICO Guidance: https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
Article 29 Working Party:
Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, wp248
Can you Confidently Prove how the Data Subjects’ Consent was Achieved?
Yes= 44%
NO=56%
The issue of Data Subject Consent was split almost 50/50, and is not in itself a new requirement. This suggests that existing data protection procedures may need to be reviewed to ensure all data is collected with the explicit consent of the subject, and the organisation is accountable for this.
Have you Implemented any recognised Security Standards?
Yes = 33%
NO = 67%
The results of this question may be slightly distorted towards yes, as we help our clients achieve standards such as ISO 27001. However, ISO 27018 Protecting PII in the Cloud and BS 10012 Personal Information Management System (PIMS) may increase in popularity as the deadline approaches.
Is all Personal Identifiable Information (PII) held within the EU?
YES = 89%
NO = 11%
It was encouraging to see that the majority of respondents are already keeping data within the EU, however there may be legitimate reasons to hold data outside the EU, and safeguards can be put into place.
Rate your understanding of key GDPR concepts:
MOST Knowledge: Accountability & Purpose
LEAST Knowledge: Portability
The provisions for portability in GDPR may only apply to a small subset of organisations who process PII, however a basic understanding can be valuable.
Conclusion
While we can assume that anyone completing a GDPR survey shows some awareness of it, there are clear areas for improvement, and organisations should continue to prepare and monitor official channels for guidance to be released.
The Survey is now closed, you can find all snapshots here.
If you would like help or advice for your organisation to meet the requirements, we have several options available, read more: https://www.assentriskmanagement.co.uk/gdpr-consultants/
More Information
The UK ICO’s
“Preparing for the General Data Protection Regulation (GDPR) 12 steps to take now”:
https://ico.org.uk/media/1624219/preparing-for-the-gdpr-12-steps.pdf
Article 29 Working Party, Guidance
http://ec.europa.eu/newsroom/just/item-detail.cfm?item_id=50083