New research from EfficientIP has claimed 72% of UK businesses are confident about being compliant when GDPR hits the industry in May, but we’re not too sure.
Although security teams have had two years to get ready for the new regulations, in typical fashion, it has only been in the last couple of months activity has been ramping up. We’ve been speaking to various people in the industry recently, and the feedback is a bit panicked.
This is of course human nature. When something is deemed non-critical or still on the horizon, it is pushed to the bottom of the priority list. Maybe some of these businesses assumed government agencies would be toothless in dishing out fines? Unfortunately few business appreciated how time-consuming the process of being GDPR-compliant actually is and is now smacking the big red panic button with increasing severity.
Having spoken to a few friendlies, feedback is businesses do not appreciate the amount of grunt work is associated with data audits, updating cookies or understanding what is opt-in and what is opt-out. GDPR work is flooding into consultancies and any consultant who is free is being reallocated to make sure the influx of demand can be serviced. Businesses are realizing there isn’t a huge amount of time remaining.
We are sceptical about progress and think there will be quite a few cases of non-compliance; this is something people should be seriously worried about.
The fine itself could be up to 3% of annual global revenues or €20 million, dependent on which number is higher. Of course, when it comes to a public sector organization dishing out fines or catching people in the act of wrong-doing, the general feeling is that of wiggle room. Some businesses would be confident they could avoid detection or a fine of any real detriment. Most watchdogs are generally viewed as a bit toothless, with a bark comparable to a three month-old Chihuahua.
When we spoke to the Information Commissioner’s Office, the body which will be responsible for enforcing the new rules, we were told May 25 would be a hard deadline and there would not be any grace period for companies to adapt to the new rules. The feedback was GDPR guidance has been around for ages so there is no excuse for non-compliance.
In terms of the fines and what would constitute as mitigating circumstances, this is where the grey areas start to appear. The ICO will be ‘proportionate’ when dishing out fines and also assessing each scenario. Whether this means there will be an escape-route for non-compliant companies who can prove they really tried their hardest remains to be seen. Or could it mean fines will be inconsequential when compared to the revenues and profits being made by these business?
Once again we have a government agency which hasn’t really drawn out concrete rules and the legal minefield of interpretation is out there again. It should be worth noting the blame for these grey areas should not be placed firmly on the doorstep of the ICO, as the rules are being passed down from the boresome bureaucrats in the European Commission.
We are not confident in the research’s claim the majority of businesses are confident about being GDPR compliant. Perhaps this is a clever bit of marketing though; if you claim the majority of people are ready for GDPR and it could force those who are not into even more of a frenzy. The threat of being the odd-one-out would certainly encourage a couple of CSO’s to dig deeper into their wallets.
Perhaps the most interesting part of this debacle will be the reaction of regulators; this could be viewed as a test of character of the ICO. The number of mitigating factors which the ICO allows and the severity of the fines for non-compliance will decide whether there is any credibility in the watchdog. Are the team going to punish non-compliance at an appropriate level or will the Chihuahua’s resort to gentle yapping at the ankles of British businesses?