Three quarters of organisations still struggling with GDPR compliance

More than 75% of organisations could be struggling with GDPR compliance a full year on from the introduction of the regulation.

That’s according to research from Crown Records Management, which says only 23% of businesses considered their compliance capabilities around GDPR to be ‘very good’.

Just 20% of the 100 CIOs and data professionals within large organisations that were surveyed rated their business’s ability to prove that their data collection and processes are GDPR complaint, leaving many at risk of potential fines. 

In the research, only 22% of respondents felt that their ability to confirm the identity of people making subject access requests was strong. Their ability to effectively redact information from documents if required was also a challenge for most, highlighting the need for better control over data and improved processes and systems to support GDPR compliance.

More broadly, close to half of respondents felt that their organisation’s data storage methods are in need of improvement and attention (46%), closely followed by data retrieval processes (44%) and data storage and protection (43%).

A lack of visibility of crucial personal data is leaving many businesses failing to meet the regulation, says Crown Records Management. Less than a quarter of organisations (24%) feel their ability to provide all personally identifiable data (PID) if required is very good. Organisations also seem to be struggling to meet deadlines, with only 27% of respondents saying their ability to provide data within the timeframe if required was up to scratch.

Kevin Widdop, Information Security Consultant at Crown Records Management, said: “It’s concerning to witness that a year on from the introduction of GDPR businesses are still struggling to implement effective records management processes, leaving them open to potential fines. Companies have clearly implemented GDPR policies but have failed to put the building blocks in place to live by them.

Organisations seem to be finding data retrieval, redaction and storage the most challenging areas. By reviewing internal processes and making the necessary changes businesses can reduce the risk of non-compliance. Systems that help to digitise and index all relevant data are essential as they make it easier to search for and retrieve information quickly.”

Kellie Peters, Director at Databasix, added: “Over the last 12 months organisations have gained awareness of what GDPR is but not necessarily what’s involved with implementing a successful GDPR procedure. It’s important to understand where your data is because if you receive a Subject Access Request, you only have 30 days to provide the information. Therefore, it’s crucial you have full visibility of what data you’re holding and where.”