The survey results showed that the biggest challenges which organisations face, are dealing with the large number of systems on which data is stored and processed, and the lack of internal resource and know-how about GDPR. Kang explains: Large organisations have complex systems and interactions with large numbers of databases. Although some organisations may have thought that Cloud Computing would simplify IT conceptually, it can give rise to problems from a data protection perspective. He continues: Cloud technology creates geographical data protection issues with regard to where the data is stored, coupled with issues about the interactions between different databases. Furthermore, it can exacerbate the problem of shadow IT, where individuals within large organisations procure IT without the authorisation of their IT departments – thus creating additional data silos that are parallel to the organisations own official systems.
With regard to the lack of internal resource and know-how, Kang comments: In organisations, individuals not only have to do their day jobs, but also have to find time to deal with the tasks associated with compliance activities. Such tasks need to be clearly explained as well, taking into account that there can be complexities about how best to implement GDPR compliance at an organisational level.
With the high confidence figure for GDPR compliance by 25th May 2018 being at such a low level, one would assume that this would have the attention of the Boards of the respective organisations. However, only 51% of organisations indicated that regular Board level reporting was being undertaken in respect of GDPR readiness. Kang notes: This figure is alarming, especially as the survey responses showed that 78% of organisations regarded GDPR compliance as more important than other compliance programmes.
In terms of what organisations are actually doing to prepare for GDPR, 89% of respondents indicated that their organisations were involved in some form of data mapping or data flow activity. However, only 41% had a detailed GDPR compliance plan in place. The discrepancy between these figures is a concern, as Kang cautions: Organisations need to be wary about just undertaking resource-intensive work on data mapping, without thinking about what they are going to do with the output of it, and how the activity is going to move them to compliance. Unfortunately, too many organisations are treating the data mapping as an end in itself, when in reality its just the start of what could be a very long journey.
Software tools can assist with GDPR compliance and know-how, and Technology Law Alliance has developed its own GDPR software compliance tool, Asimuth, from their spin off company, Asimuth Limited (www.asimuth.com). Kang explains: The feedback which we have received is that a lot of organisations are anxious about the perceived scale of the task, and some dont know how to progress or continue with GDPR compliance – so we have developed Asimuth to help them with that not only for initial compliance up to 25th May 2018, but also for ongoing compliance beyond that date.
Although the survey results revealed that there are clear challenges which GDPR compliance is imposing on organisations, over three-quarters of organisations saw GDPR compliance as a positive initiative. Organisations cited reasons such as: helping them focus more clearly on the way in which data is used internally; becoming more transparent with individuals with regard to use of their data; and improving security within their organisations. These positive benefits accord with the messages which the Information Commissioners Office (or ICO) is advocating, for organisations to embrace GDPR compliance.