A significant number of businesses are sleepwalking towards massive penalties due to a lack of awareness of the scale of the General Data Protection Regulation (GDPR) data collection challenge. This is a central finding of a major report released today by Senzing, the California-based software technology company.
The research – Finding The Missing Link in GDPR Compliance – is based on the views of more than 1,000 senior executives from companies in the UK, France, Germany, Spain and Italy. It finds that, on average, a company will get 89 GDPR enquiries per month, for which they will need to search an average of 23 different databases, each taking about five minutes. The total time spent simply looking for data per month will be more than 10,300 minutes (172 hours) equating to over eight hours of searching per working day – or one employee dedicated solely to GDPR enquiries.
The issue is even more pronounced for large companies. These expect to get an average 246 GDPR enquiries per month, for which they will need to search an average of 43 different databases, each taking more than seven minutes. They will spend more than 75,500 minutes per month (1259 hours) which equates to nearly 60 hours of searching per working day – or 7.5 employees dedicated solely to GDPR enquiries every day.
The data collection challenge is exacerbated by a significant proportion of businesses which admit to not being confident about where their relevant data is housed or being able to account for all their databases. More than one in 10 (12%) companies say they are not confident that they know where all their data is stored; less than half (47%) are “very confident”. 15% of businesses are not confident that they have accounted for all the different databases containing personal/customer data, with only a third (35%) stating they are “very confident”.
Jeff Jonas, Founder and CEO, Senzing, said: “These findings reveal the true extent of the GDPR compliance challenge. Businesses will be faced with a mountain of data to trawl through – the end result will be a significant time and personnel cost and a great risk of missing records or worse, including the wrong records. Whilst this time requirement is most onerous for large companies, they have greater resources at their disposal. Relative to size, SMEs face a similarly gargantuan task.”
High level of concern over compliance
Although 44% of companies say they are “concerned” about their ability to be GDPR compliant – rising to 60% in the case of large companies – many businesses are demonstrating a dangerous lack of awareness about GDPR and overconfidence that they will not be affected. Only a third of companies (35%) are aware that the potential financial fines for non-compliance, which in the worst cases can be €20 million or 4% of global annual turnover, are very severe. An alarming 30% say that financial penalties will have no impact at all; 15% say that they “don’t know” about the impact of financial fines.
Smaller businesses appear to have less appreciation for the seriousness of GDPR non-compliance. A greater proportion of large companies than SMEs understand the severity of the impact of the financial fines. 38% of SMEs and 29% of micro businesses recognise that the financial penalties could have a severe impact on them compared to almost half (47%) of large companies.
This divide between the attitudes of large and small businesses is evident in their planning for GDPR. A quarter (27%) of SMEs and half (50%) of micro businesses say their current set up is optimum and they do not need to make any changes to their operations, compared to just 16% of large companies who believe this. On average, 38% of companies do not intend to take any preparatory action. However, 39% plan to overhaul their IT/customer data systems and a further 15% intend to hire data analysts to collect data. Again, larger companies are more proactive; two thirds (64%) will overhaul their IT and a third (33%) will hire analysts.
Jonas commented: “Many businesses appear to be sleepwalking towards a GDPR abyss. The fines that can be levied for non-compliance will be potentially terminal to some organisations and even the largest companies – and certainly their shareholders – will feel a significant impact. A huge number of companies simply don’t understand the dangers of non-compliance – with smaller firms apparently particularly unaware. The fact there is such a distinction in the level of confidence between large and small companies in their existing data collection set up is disturbing. It suggests strongly to us that SMEs and micro businesses are seriously underestimating the impact that GDPR will have on their systems and are demonstrating misplaced optimism.”