To mark the first anniversary of GDPR – General Data Protection Regulation – our latest Big Question surveyed over 1000 finance professionals from across a range of sectors to assess its impact. One very clear result is that workloads have increased as a result of the regulation.
By 48% to 2%, respondents said that GDPR, and the additional privacy and security checks needed, had meant an increase in their workload. Another overwhelming but ultimately optimistic result was that most, 80%, think their organisation has changed as a result of GDPR, in order to be fully compliant with it. Only 12% thought that they had not changed enough to be fully compliant.
Some were open about the continuing challenges. “The act is so detailed I feel I don’t know everything, but I do know enough to get by and to hopefully make our business compliant with the basics,” said one HR manager.
“Even a year on there is still a bit of work to be done to ensure this is part of the day to day.”, said Catherine Vallely, HR Manager, Bunzl. Michael Russell, head off finance, at The Police ICT Company, warned against complacency, he said: “I think it is dangerous to think that you know enough about GDPR.”
Respondents were then asked whether their organisation has invested in specialist technology to help deal with GDPR. Just over a quarter, 26%, said they had but 61% had not. As for the recruitment of additional staff to cope with GDPR, fewer than a fifth, 19%, had done so, while 73% had not.
Many had, however, encountered a significant need for additional training. “We used a third party organisation to provide interactive GDPR training to staff which had a test at the end that staff needed to pass,” said Natalie Floyde, head of finance, at NPA. “All team managers had to ensure that staff within their teams passed the test.”
Most respondents think that they know enough about GDPR, by 83% to 17%, but many respondents think there is more to do. “Companies need to do more as their GDPR processes are a bit of a mess from what I have seen,” said Roland Sutton, management accountant, the London Crematorium Company.
Others are happy to admit that they have more to learn. “It would be helpful to have some information regarding proper day by day tasks you can perform that will keep you in line with GDPR,” said Ian Brassington, managing director of Brassington & Co. “If your laptop was stolen but you had put a password on it, would you have done enough to comply with GDPR?, he added.
Among those who are comfortable with GDPR, there was a sense that it had been over-hyped. Louise Hawkins, HR manager at Yewdale, said: “A lot of it was a storm in a tea-cup. There was a lot of misinformation about it and there are no back up consequences for companies not adhering to GDPR.”
A general counsel and corporate secretary for a public body said: “Given the proportionate approach to enforcement the Information Commissioner has highlighted we feel there have been a lot of scare stories and most reputable organisations can (and do) meet the principles of GDPR without huge amounts of effort. Certain bodies given the nature of their business may be struggling but most should not.”
Finally, which is rare for regulation, some saw an upside from it. “It opens your eyes to how much data is not valued,” said Emmanuele Nwachukwu, Credit Control Manager, Queen Mary University. She added: “It makes you consider the sensitivity of information that passes through our hands.”
“Yes GDPR is a wakeup call for many industries as they have to handle customer data much more safely,” said Steve McGinness, Project Manager, Cognizant. Another respondent said: “As the world catches up and starts creating its own GDPR regulations I think we are going to find ourselves meshed across borders.”
One year on, it seems, GDPR has been a lot better than feared.