GDPR’s Data Breach Notification Requirements Tripping Up Businesses

The U.K. is only weeks away from bringing its Global Data Protection Regulation (GDPR) rules into effect, and corporates are ill-prepared for the data security requirements, according to new research.

Law firm McDermott Will & Emery collaborated with Ponemon Institute to assess how U.K. businesses are getting ready for GDPR to take effect on May 25. Corporations are bracing for major changes to their operations, and many will miss the May 25 deadline as they struggle to overcome challenges related to key components of the new rules, including data breach notification.

According to McDermott’s report, published earlier this month, 52 percent of companies surveyed said they will be compliant by the May deadline. Forty percent, however, said their compliance will come after that deadline, and 8 percent were not sure when they will be fully compliant with the new rules.

Most companies said GDPR will bring “significant” changes to organizational workflows when it comes to the aggregation, use and security of personal information stored and used by their firms. Seventy-one percent said they are aware noncompliance could be detrimental to their companies’ international operations.

The findings represent a significant improvement on earlier analysis by published in January, which found that only 38 percent of businesses surveyed had even heard of GDPR. For those firms that were aware of the impending rules, only about a quarter said they had made the operational changes necessary to remain compliant.

Despite acknowledging the risk of noncompliance, corporates are cutting it close when it comes to ensuring they’re ready for GDPR, McDermott’s survey found.

“There is a lot more work to be done for GDPR readiness, this study shows,” reflected McDermott partner and leader at its Global Privacy and Cybersecurity Practice, Mark Schreiber, in a statement. “A key issue here is prioritizing what can be done in the remaining time before that May deadline and acting on those high-risk areas.”

One of the areas of GDPR posing the greatest challenge to U.K. businesses is the data breach notification requirement.

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons,” the GDPR legislation reads.

Most (83 percent) of companies said this is the aspect of GDPR that is most difficult to address. Despite this struggle, 68 percent agreed that noncompliance with this aspect of the regulations would pose the greatest risk to their firms.

Analysts warned, too, that GDPR requirements will not apply solely to consumer data collection and storage, with broad implications of the rules on the B2B community as well.

“Compliance is more than just updating your privacy policy, and so it is heartening to see so much wholesale change to workflows and an appreciation that business-as-usual processing will change after May 25,” added Ashley Winton, McDermott London partner and chairman of the Data Protection Forum. “However, it is particularly interesting to see which sectors are making the most effort to get into compliance, as it is not just consumer or retail-facing companies. With markedly disparate levels of compliance expected by May 25, it will be interesting to see what the regulators’ response will be.”

Businesses in the U.K. are having to invest in GDPR compliance to avoid the financial implications of noncompliance.

According to McDermott’s report, on average, corporates were budgeting $13 million a year for compliance efforts, though a third of companies said they expected to review that figure once a year. More than a fifth expected a growing need to focus on investment in staffing, technology and governance practices to continue ensuring compliance, the report found.

While costs may appear high, experts warned the costs of noncompliance could be higher.

“The risks of failing to comply with GDPR have been most often reflected by organizations’ fear of the potential size of the financial penalties that noncompliance could bring about,” said Ponemon Institute Founder Larry Ponemon in a statement. “The headline figures — fines of up to €20 million or 4 percent of global turnover, whichever is the greater amount — represent a potentially massive fine for companies.”