The GDPR’s May 25, 2018 deadline set in motion a mad compliance and security scramble not only for European companies, but also for any company doing business in Europe or with European customers.
We just published a new market research report on GDPR. The purpose of this survey of 262 executives was to quantify – as close to the May 25th deadline as possible – the following three key issues related to GDPR:
- How do organizations view the emerging challenges tied to information privacy and security, and whom have they charged with this task?
- At the deadline, where are organizations in their GDPR journey and how much did they spend to get there? How do they assess their progress in meeting the core requirements of GDPR?
- What kinds of special pain points does unstructured information (i.e., content) raise in GDPR compliance efforts, and which core IIM technologies do organizations see as critical to their efforts?
The scope of GDPR includes more rigorous consent requirements, data anonymization, the right to be forgotten and breach notification requirements. Violations could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year – whichever is the greater – being levied by data watchdogs. For other breaches, the authorities could impose fines on companies of up to €10m or 2% of global annual turnover – whichever is greater. For the average Fortune 500 company, that puts fines in the range of $800-900M.
But the impact of GDPR really goes beyond the immediate need to be compliant. The GDPR reflects an emerging consensus that the rules and practices and technologies used to manage the security and privacy of personal information need to evolve to reflect the explosive growth of this information and the increasing sophistication of the tools to manage it.
Information privacy is still an afterthought for most organizations. Only 36% of organizations have a dedicated privacy function – a key factor in determining accountability. The other 64% either lodge responsibility in another function or have no privacy function to speak of.
For nearly 40% of organizations, the primary reason to focus on GDPR is because they have to – it’s a legal obligation. Missing from this fairly practical calculus is the fact that a strategic and focused approach to information management and information governance is not just good hygiene – it sets the stage for machine learning and artificial intelligence.
There are a variety of accountability models for GDPR, with no clear winner: IT is responsible in 27% of organizations, followed by LOB (finance and operations, 19%), RM/Information Governance (15%), Legal (15%), and Compliance (13%). For AIIM audiences, the relatively low percentage of organizations that place GDPR responsibility with RM/IG perhaps reflects a long-term shift for this function in the direction of IT.
Fear of additional regulatory scrutiny – somewhat akin to the fear that an IRS audit frequently leads to additional audits – is the primary worry for 32% of organizations should they suffer a compliance lapse.