Most firms understand GDPR. But only a minority are fully compliant six months after the law took effect, according to GDPR Implementation Review, a study by IT Governance.
Of the IT personnel surveyed, only 29% say their firms have completed implementation and can demonstrate compliance.
Another 54% have begun the process but are not there yet. And around 4% have assessed their level of compliance but have not yet begun to make changes. And 2% have not yet begun.
In addition, 47% say their policies, procedures and documentation are now in line with GDPR. But 45% say this has been only partially completed, and 5% have not done anything.
Yet 75% of those surveyed have conducted a data flow audit in some capacity.
IT Governance, a global company, surveyed 210 of its data protection and GDPR clients.
Email has played a large role in communication GDPR basics to staff — 50% have employed it. But it ranks second to staff meetings (60%). In addition, 39% have used training programs, 36.19% e-learning, and 22% comprehensive staff awareness programs.
In addition, 19% put up displays and posters. Of those surveyed, 59% are aware of the changes and have adapted their internal processes.
They have made improvements in handling data subject access requests (DSARs), one of the key provisions of GDPR. The study shows that 59% are aware of the required changes and have addressed them. Still, 29% are only part of the way there. Another 7% say that while they are aware, they have done nothing. And 3% ask, “What is a DSAR?”
“For many organizations, DSARs would have not been a priority before May 25, 2018,” the study notes. “In most cases, individuals were not aware of their rights to request their data and, where they were aware, there was often a fee associated with the request.”
DSARs can be made by email, phone call, web contact form or just about any means.
When it comes to data breaches, 61% have implemented basic security controls, but fewer have procedures in place to notify authorities in the required 72-hour window. Only 26% have had their cyber security controls validated.
Over 83% are at least partially aware of when a data protection impact assessment (DPIA) is needed, but 71% feel confident in their ability to perform one.
Of the respondents, 68% were instrumental in writing their firm’s privacy notice. In addition, 13% know how to find their privacy notice and understand it.
But 0.48% ask, “What is a privacy notice?”
“It is discouraging to see so many organizations understanding the GDPR and its applicability to their businesses but failing to comply,” states Alan Calder, founder and executive chairman of IT Governance.
He adds, “May 25 should have been the wakeup call, but it’s not too late to begin your compliance journey.”