It is now 6 months since the EU’s new data protection measures, the General Data Protection Regulation (GDPR), finally came into effect. But although May 25th had long been known as the deadline, there are still companies out there who are not yet fully GDPR compliant – and authorities are beginning to take action. However, if you are one of these companies, don’t worry, you still have time to get things right.
In the run-up to the May 25th deadline, many national data protection bodies had moved to quell panic, confirming that a ‘period of grace’ would be provided to ease the pressure and allow companies behind schedule to catch up. However, businesses have still not made the necessary changes to their security and data processing and storage systems to keep these bodies satisfied.
37% Not Fully GDPR Compliant
In August, a survey carried out by MarketingSignals.com showed that 37% of businesses in the UK were not GDPR compliant just over 2 months after the regulations came into effect, 35% were still sending marketing emails to those who had not opted in, 31% still had the data of customers who had not consented to have their data stored, and 27% had still not secured data against a ransomware attack.
In September, research showed that just 35% of EU-based companies were complying with Articles 15 and 20, which relates to Subject Access Requests (SARs) – allowing an individual access their personal data. The new regulations lowered the response limit from 40 days to 30, but some 65% were failing to do so, as were 50% of companies outside of Europe.
Of them, retail companies were the biggest offenders, accounting for 76%. Financial services firms, on the other hand, despite being the best conformers, had only a 50% adherence rate.
Low employee awareness is also a surprise, with research revealing that 17% of UK employees don’t know who the Data Protection Officer (DPO) in their workplace actually is.
Authorities Now Taking Action
But the reality remains that failure to comply with GDPR can cost a company a significant amount – and violations are now being punished.
One example is that of Barreiro Hospital in Portugal in July. The hospital had granted 9 social workers access to the clinic data of patients and had a total of 985 registered users with doctor-level access despite the fact only 296 doctors work there. It was fined €400,000 for two GDPR violations: failing to respect patient confidentiality (€300,000), and failure to ensure the integrity of data security in their system (€100,000).
In November, German social network website, Knuddels.de, was fined €20,000 after security breaches resulted in 808,000 email addresses and over 1.8 million usernames and passwords being leaked. The Baden-Wurttemberg Data Protection Authority issued the fine, but in calculating the relatively low sum took into account the “exemplary transparency, cooperation and quickness to implement security upgrades” that Knuddels showed.
And if you think having your customers’ data protected is enough to be GDPR-compliant, what about the Austrian company that was fined after it had installed a CCTV camera. The company broke GDPR rules because the camera was angled in such a way that it also recorded a large part of public pavement, effectively stealing passers-by of their privacy.
Completing GDPR Compliance
At Kefron, we understand the challenges that all organizations, whether small SMEs, large corporations, hospitals or other public service bodies, face in becoming fully compliant with GDPR.
Our own dedicated GDPR Employee Awareness Training programme, in partnership with Olive Media, can help you complete the process, informing employees what is needed to help achieve compliance.
For more details, visit our webpage and contact us.