MARKET | Feb 22, 2018

GDPR: are companies ready to protect data?

Less than one hundred days after the decree came into force, almost half of companies do not feel ready

Presented as “privacy is good for business”, the reform that will take effect on May 25 is known and recognized by most as GDPR, standing for General Data Protection Regulation.

Issued on 27 April 2016, the regulation aims to standardize and establish rules valid in all EU countries concerning personal data, protecting individuals and imposing greater responsibility on companies in data management.


Are companies ready?

Less than one hundred days remain before entry into force of the GDPR, but several studies are reporting incomplete awareness and above all a delay in “being up to date”.

IDC notes that scarcely 5% of companies are already compliant with the regulations, 50% of those interviewed have a plan to comply with the new obligations and 43% are in the phase of preliminary analysis of the activities necessary for becoming compliant. According to the same research, the best prepared sectors appear to be Public Administration and Commerce, while 60% of companies in the service sector and 53% of those in industry which have not started the adaptation process are concerned.

The Senzing study on Finding the missing link in GDPR compliance – which involved over 1,000 managers of companies based in the United Kingdom, France, Germany, Spain and Italy – highlights 60% of companies “at risk” of non-fulfillment (24%) or “in difficulty” (36%). Only 40% say they are ready.

What is the Italian situation?

Forty-three percent of Italian companies declared themselves “concerned” about the GDPR and only 29% aware of the heavy fines they could occur in the event of non-fulfillment and which could reach up to 4% of annual turnover. Twenty-four percent of companies imagine (or perhaps wish, ed.) “impunity” for themselves and 12% ignore the consequences of non-compliance with the regulation.

One in 10 (13%) is not confident about application of the GDPR, and only one-third (32%) is very confident. Beyond perception of the ability to tackle the problem, 50% of companies are planning a review of their customer data processing systems, while 16% intend to employ a greater number of analysts for data collection and 10% are thinking of entrusting management to third parties  .

How much time will businesses spend on GDPR?

According to Senzing, companies will receive on average 89 requests linked to the regulation per month, for which they will have to search an average of 23 different databases, dedicating approximately 5 minutes to each of them for a total of about 8 hours of searching per working day. Basically one full-time employee to be dedicated to this activity.

The situation is differentiated by size: it runs from 9 minutes per working day for microbusinesses, to 1 hour for SMEs and the much more burdensome 60 hours of searches related to GDPR per working day for large companies. For these latter, almost 8 full-time employees to be dedicated just to this activity.

GDPR, blessing or curse?

To support companies in understanding the goals of the new regulation, the EU has published a set of guidelines and a dedicated tool useful for planning the activities to be carried out before May 25; the Italian Privacy Authority also published tempo a guide.

As stated by many, with the new European regulation, privacy becomes a real business process to be managed in all its phases. Personal data are transformed into the equivalent of raw materials for the traditional economy and for this reason the GDPR is considered the “Statute of the Data Economy”, that is, an opportunity for companies that intend to use data legally for producing products and services that can increase turnover and jobs through them.