GDPR Impact

Serviceteam IT UK Cloud Snapshot Survey 2017

General Data Protection Regulation (GDPR) is by far the largest external focus for companies in the lead up to its introduction in May 2018. GDPR mandates considerably tougher penalties than the current Data Protection Act; organisations found in breach of the Regulation can expect administrative fines of up to 4% of annual global turnover or €20 million – whichever is greater. The GDPR impact of fines of this scale could very easily lead to business insolvency.

Which external factors will impact on IT over the next 3 years?

When asked about the external factors threatening their IT strategy, 60% of respondents listed the GDPR impact as the biggest challenge to their IT plans over the next 3 years.

One of the key findings to come from the report is the fact that GDPR is seen as a greater challenge by many UK businesses than Brexit. This could be explained by the uncertainty surrounding Brexit and the true impact leaving the EU will have for UK firms, whilst the certainty of the GDPR impact makes this a priority for firms in the UK.

60% state GDPR will have the biggest impact on IT in the next three years

GDPR: 60%
Cyber-Security: 21%

Which external factors do you feel will have the biggest impact on your IT plans for the next 36 months?

64% welcomed ‘the right to access’

21% think they will activate their new rights in the first month

GDPR replaces the Data Protection Act of 1998. The digital landscape in 1998 was completely different. Pre-Google, we searched the internet using Yahoo, Lycos, or AltaVista from our Netscape or Internet Explorer browsers. Social media didn’t exist as we understand it today, was limited to the likes of Geocities, and only 20% of people had been online in the last 12 months. GDPR makes data security fit for purpose in our digital world of 2017 and beyond.

The GDPR changes the historic understanding of what data privacy and data security compliance mean. No longer is it purely a checklist ticking exercise. Now the journey to compliance is more risk management focused. Risk calculations and appropriate privacy protections, as well as data security, are up front and central in all aspects of personal data management. GDPR needs to cover technology, process and policy and needs buy in and sponsorship from the senior management in all companies. While 6% of companies believe that Brexit will halt GDPR, the government has made it very clear that GDPR will be adopted fully and will remain law after Brexit. GDPR is seen in most companies as an IT department issue but in companies of over 250 employees, a Data Protection Officer is required as a part of the incoming regulation.

The effects of the GDPR impact on an organisation will largely depend on their existing data policies. Many companies have not had to pay too much attention to this area before outside of the general good business practice processes. However, GDPR changes this, not just because of the risk of heavy fines but also because it will make customers more aware of the rights that they have to see what data is being held and find out how that data is going to be used. In a July poll by SAS of over 2,000 people 64% welcomed ‘the right to access’ (e.g. get a copy of personal data held about them) with the 45- to 54-year-old age group is most likely to issue a request, with just over one in five (21%) thinking they will activate their new rights in the first month. That figure may be a shock to many companies who believe they can continue as they have been up until now. Many companies have disparate systems that have grown up over years through expansion, acquisition and mergers and they simply do not know where all the data is stored. The impact of such an issue on IT is not being ignored by most companies with a large slice of companies’ IT budgets being allocated to data storage projects to address this very issue.