There are lies, darned lies, and then there are GDPR poll statistics. So, when ISACA recently approached me to help analyze a new poll on GDPR readiness, I was initially apprehensive.
After all, how many organizations are really expecting to be fully compliant with the new EU regulation on data protection by today’s deadline? Previous poll results from other sources have ranged as high as 90% and as low as 10%.
The significant variation in results might reflect the way that the questions are framed by different surveys, and moreover, whether the respondent believed that the results really were going to stay anonymous. When non-compliance with the regulation can result in fines of up to €20 million or 4% of global turnover (whichever is greater), very few organizations will openly admit that their compliance process expects to break the law and run some of their data illegally for a while.
Fortunately, the good folks at ISACA – supported by YOU (members of the ISACA professional community and readers of the ISACA Now blog) – came through with a set of results that have been far more insightful. The ISACA GDPR readiness poll is based on anonymous responses from thousands of relevant practitioners around the world.
Here are some of the survey highlights:
How many of us think our organizations will be ready by today? According to the ISACA GDPR readiness poll, only 29% of us think our organizations will be GDPR ready on time.
But wait, there’s more: 17% think their organization would not achieve compliance until at least 2019 or later and a substantial 31% did not know when their organization would achieve compliance.
When it comes to late-stage compliance remediation, the good news is that your organization may not be alone. However, with the unprecedented levels of potential financial penalty for non-compliance, it is probably not a good idea to remediate slowly.
However, fast remediation also has substantial downsides. For example, how many organizations have been forced to delete huge numbers of customer records simply because they rushed out a very badly worded opt-in request?
Meanwhile, in the rush to become compliant, there is at least a personal upside to this. Most of us are celebrating with each opt-in email we receive and ignore. Less junk in the mailbox – hurray!
(How I read most GDPR emails: “Would you like us to continue to send you annoying spam? Please? – Click here for YES or just ignore this email to have your personal information deleted by us.)
If your organization is not yet GDPR-compliant, you can take some degree of assurance from YANA - the fact that You Are Not Alone. In fact, right now, you are probably part of the non-compliant majority. However, be careful, because that means you are non-compliant with a piece of legislation with a penalty level that for many organizations could be an extinction-level event.
So, who will be the first targets for deep scrutiny of their GDPR approach by the relevant EU supervisory authorities? I believe this will be any organization discovering a substantial data breach soon after 25 May, in which the same organization also appears to have intentionally ignored or misinterpreted their GDPR obligations.
It is also wise to consider this: Everyone, from unethical hackers to unhappy customers and disgruntled employees, past and present, will soon realize that the easiest way to cause financial pain to any organization that has ignored some or all of their GDPR obligations will be through their stashes of non-compliant personal information.
Editor’s note: View more information on ISACA’s GDPR preparedness poll. For additional ISACA resources on GDPR, visit www.isaca.org/gdpr.