With less than a year until the deadline for General Data Protection Regulation (GDPR) compliance, 73% of European CIOs and IT managers are concerned that their organisation might not be able to meet the time-scale.
A survey of 750 CIOs and IT managers from France, Germany and the UK by NetApp also highlights a worrying lack of urgency ahead of the May 25, 2018 deadline, with only 37% of respondents having invested extra funds in data regulation compliance.
NetApp warns that many business managers remain ignorant of their responsibilities. Of the UK respondents only 12% say they fully understand what GDPR involves and just 17% have hired personnel with data protection expertise.
NetApp points out that while the originator of data remains its owner, under GDPR anyone who processes that data is also responsible.
However, 51% of the survey respondents say responsibility for compliance rests with the company that produces the data; 46% say it lies in the hands of the company that processes the data; and 37% believe responsibility for data compliance is in the hands of third-party cloud providers. In fact, all parties will be individually responsible for the data they handle.
Sheila Fitzpatrick, Worldwide Data Governance & Privacy Counsel/Chief Privacy Officer at NetApp, warns that with the prospect of big fines for missing the deadline, businesses must take action now.
She said: “We have entered the final year of preparation before the GDPR deadline on 25th May 2018. Businesses need to act now to ensure they are compliant in this timeframe, or be at risk of fines of up to €20m, or 4% of global annual turnover, whichever is higher.
“Brexit and the outcome of elections will have little to no impact on whether UK businesses need to comply with GDPR. It applies to any business that comes into contact with data on an EU citizen. As such, companies of all sizes need to take an active look at what data they hold, what they use it for and where it’s stored. They can then use this insight to conduct a comprehensive review of data privacy policies, consents, processes and so on to ensure they are meeting the minimum legal requirements.
“GDPR isn’t a ‘nice to have’, it’s a legal requirement. Companies have 365 days to become compliant, or face the potentially grave consequences when GDPR comes into effect.”