Findings on awareness regarding the GDPR and privacy laws early 2018

As the compliance deadline for the General Data Protection Regulation (GDPR) approaches fast ample organizations with various backgrounds send out results of surveys on the state of GDPR readiness, in the sense of compliance or preparing to be more or less compliant in time.

There are so many of them that it’s virtually impossible to cover them all. What is worrying though is that there still seems to be such a lack of GDPR awareness.

In this article we cover two surveys released in January 2018: one is from the UK and looks at GDPR awareness overal, another one is from the US and looks at staff awareness regarding privacy and various national and international personal data protection and privacy laws and regulations, including the GDPR, the EU-US Privacy Shield regulation, HIPAA and more.

GDPR and privacy laws and regulations awareness research 2018

On January 22nd, a poll by the London Chamber of Commerce and Industry, in short the LCCI, showed that 24 percent of businesses in London are not aware of the General Data Protection Regulation. That is little less than a quarter indeed.

The reasons why this is worrying are diverse. First, London is obviously the center of business activity in the UK and if in London a quarter of businesses is not aware of the GDPR one does wonder what the state of awareness is elsewhere.

Secondly, as long as the UK has not left the EU the GDPR applies as is explicitly stated by local lawmakers and mentioned in our recent article on the GDPR in the UK, whereby the UK Data Protection Bill is the local version of the GDPR so to say (although it’s broader and also applies after that EU exit which at the very soonest would take place close to a year AFTER the GDPR has taken effect).

The consequences of not being compliant, let alone properly aware, in time

At least as worrying though is that a lack of awareness in this stage (so, 4 months before the deadline) really means no compliance in time unless you are extremely fast, informed, guided and don’t have a lot of personal data processing of EU citizens going on of course.

For the record: not being compliant in time doesn’t mean the application of GDPR administrative fines by definition of course. Data protection authorities would be overwhelmed and it’s pretty probable that examples will be set.

Survey of London businesses by ComRes on behalf of the LCCI about their preparations for the GDPR legislation

On the other hand, not being aware now very likely means not having done anything by the time of the deadline, which by definition means that, when something happens, a complaint is lodged by a data subject, a personal data breach takes place, a request to withdraw consent or exercise a data subject right can’t be properly dealt with, a control does take place and so forth, the likeliness of higher administrative fines is, well, higher.

That’s why we keep reminding that you need to work towards GDPR compliance in a staged way whereby you can demonstrate efforts, which is not the same as the duty of a data controller to demonstrate compliance.

However, there is more. According to the same poll of over 500 London businesses, only 16% of those business decision-makers who believe the GDPR will affect them SAY their business is already prepared for the Regulation. We’ve put SAY in capitals because of that GDPR perception gap between believing you are ready and effectively being ready. Even if 16% of those who believe they will be affected by the GDPR would effectively be ready that is still an utterly low percentage.

When aware, look at what changes with the GDPR

One in three businesses in London or 34 percent to be exact, moreover state that the GDPR is not relevant to their business and of those who do think it is relevant 21% say they would like to prepare for the GDPR but need to find out more about it as the poll, conducted by ComRes (data tables in the PDF here) found.

Of course the GDPR only changes so much. Thus, when it replaces the UK’s Data Protection Act (the current law, not the same as the Data Protection Bill) on May 25th those businesses who are already in line with data protection responsibilities might not have to worry TOO much as the Chief Executive of the LCCI says in the press release where he further states: “We would urge businesses to take this opportunity to review their processes to see if they need to make any changes to be compliant.”

That indeed seems to be a good idea and we’re not sure if there isn’t cause for far more concern and action as the GDPR, despite not changing everything, does change an awful lot where it does change things.

The new right to data portability is extremely difficult in practice, for instance. And then there is this tiny little detail, called extra-territorial application. And the fact that data processors now also have direct obligations. And then there are changed stipulations on data breach notifications, consent and far more. If you’re not aware of the GDPR and it turns out it does apply (and for most it does), there is of course a risk, not just from the data subject perspective.

One can say that there might be some confusion regarding the GDPR, what it means and how it affects businesses in the UK when keeping the exit from the EU in mind. However, that doesn’t change the facts.

Awareness of personal data protection and privacy laws, regulations and practices among US employees

Yet, let’s move from the UK, particularly London, to the US and at the same time to the ‘other’ notion of GDPR awareness.

Being aware of the GDPR is not just important as an obvious step towards getting compliant in the general sense. Once you start having a little bit of a strategic staged GDPR plan it quickly becomes a priority in the sense of GDPR staff awareness. That is a matter of culture, education, workshops, maybe some internal rules (not the GDPR codes of conduct, just some internal rules on dealing with personal data and the data processing principles) and, thus, also training.

According to MediaPro’s 2018 Eye on Privacy Report, announced on January 9th, 6 in 10 US-based employees are unaware of GDPR.

For the record: where the LCCI is a business association, MediaPro is a well-known provider of compliance solutions, security awareness and employee awareness trainings.

The fact that 60 percent of US-based employees seems to be unaware about GDPR is not  that unexpected. One also needs to take into account to what degree the surveyed employees and US businesses are affected by the GDPR of course and the exact scope of the research.

MediaPro gauged employee awareness of various laws related with data privacy: on top of the GDPR these include the EU-US Privacy Shield regulation, HIPAA (US, health data), the FCRA (Fair Credit Reporting Act), the ECPA (Electronic Communications Privacy Act) and, finally the US COPPA (Children’s Online Privacy Protection Act).

Moreover, for the report tests were conducted concerning the knowledge regarding data privacy by presenting several scenarios, which does show some interesting patterns as to how privacy-aware and risk-aware people really are (with poor scores on the handling of sensitive data, among others).

You can read more about those by downloading the report.

Catching up seems hard to do – but needs to be done

Back to the GDPR (and the EU-US Privacy Shield) though: for 59 percent of respondents the GDPR was “completely new”. With regards to the US-EU Privacy Shield this was even the case for 63 percent.

In the scope of national regulations HIPAA turned out to be the best known, the ECPA and COPPA the least known.

What do employees in the US know about the GDPR - a breakdown per industry - for the full picture and more findings download the report by MediaPro
What do employees in the US know about the GDPR – a breakdown per industry – for the full picture and more findings download the report by MediaPro

There also seemed to be more respondents who were completely new with the Privacy Shield although working for some form of government.

So, all in all, two totally different surveys but each showing an apparent lack of awareness regarding privacy, personal data and the GDPR.

For those companies processing personal data of EU data subjects (or being a data controller) and 1) not being aware of the GDPR and 2) if so, having aware staff where needed, it might be time to catch up a bit to say the least.

Obviously those who aren’t aware at all won’t look for information and certainly not read this article. Maybe you know a few that could use a wake-up call.

In fact, we do know quite a few in the EU, without the UK, too, certainly when it boils down to staff awareness and full awareness instead of partial and perceived awareness, with the traditional differences between member states.

 

 

Top image: Shutterstock – Copyright: vchal – London skyline vector image: Shutterstock – Copyright: Ray_of_Light – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for EU GDPR compliance.