Many companies are falling short of data protection obligations under the General Data Protection Regulation (GDPR). DLA Piper's Data Privacy Scorebox shows that, on average, companies are complying with less than 40% of GDPR principles.
The European GDPR will apply to processing carried out by organizations operating within the EU and to organizations outside the EU that offer goods or services to individuals within the EU. The UK government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
Companies failing to comply with the GDPR after its implementation in May 2018 could face fines as high as 4% of global annual turnover. But so far, companies are scoring an average of 38.3% against GDPR principles, including in areas such as how prepared businesses are for security breaches, how they classified sensitive and non-sensitive data, whether or not they considered data storage risks, etc.
The report, released in advance of International Data Protection Day on January 28, is based on the over 250 responses to online survey tool, launched in January 2016 to help organizations all over the world to assess their current levels of privacy maturity relative to industry peers. Respondents are asked a number of questions on areas such as storage of data, use of data and customers' rights.
"The responses show that many organizations still have work to do on their data protection procedures,” said Patrick Van Eecke, partner and global co-chair of DLA Piper's Data Protection practice. “Any organizations operating in Europe will need to see major improvements in their score by May 2018 if they are to avoid potentially heavy financial penalties under the GDPR, not to mention serious reputational damage as people become more and more aware of their rights in this area.”
He added, "With more and more organizations putting data at centre stage, data protection will become an increasingly prominent issue. It is vital that organizations invest now in the strategy and processes needed to help them to meet their obligations."
Jim Halpert, the US Co-Chair of DLA Piper's Global Data Protection practice, added: “As privacy requirements, such as privacy by design, data portability and extensively documenting a privacy program, become more complex, compliance demands significant operational work that takes time. In this sense, the results are not surprising. However, the time to step up compliance efforts is this year, not next.”