A costly exercise
Gearing up for, and implementing GDPR compliance, has been a costly exercise, with 61% of businesses admitting that costs were either ‘a little’ or ‘a lot more’ than expected. In all, 58% of businesses calculated that internal and external GDPR-related costs to date (such as IT, audit, legal and training) were between €50,000 and €250,000.
Although 68% of businesses found it challenging to put the necessary compliance structures in place, there is also a shared belief that the introduction of GDPR has been a positive development for society, with 82% of businesses ‘agreeing’ or ‘strongly agreeing’ that GDPR has been beneficial for individuals.
McCann FitzGerald technology and innovation partner Paul Lavery says: "An interesting aspect of the research is the air of confidence among organisations of their understanding of GDPR.
"Nobody said the road to GDPR compliance would be easy, but most organisations have found it to be a worthwhile, albeit, at times painful, exercise in terms of information governance, something they may not have done otherwise.
"Overall, organisations are cautiously optimistic. This optimism is likely to be tested in the coming months as enforcement actions and data-subject activism start to kick in.
Mazars’ partner Liam McKenna says: "The research shows positive action among the business community, as evidenced by the appointment of data protection officers, the investment of financial resources, as well as the proactive reporting of data breaches.
"However, it is clear that embedding compliance into business as usual functions, in order to demonstrate accountability, is proving challenging. Although a baseline level of compliance has been achieved, organisations are continuing to develop so as to manage data protection risks," he said.
The majority of businesses (33%) have found the creation and maintenance of records relating to the processing of data activities to be the greatest challenge. Other problems have been the documenting and evidencing of compliance (21%), and addressing security obligations (15%).
Unsurprisingly, organisations are not relying on just one legal base for the processing of their data: contracts, legitimate interest and compliance with legal obligation are relied upon as legal bases for processing by just over 50% of respondents.
Consent is slightly less widely used, and 54% of respondents said that they found meeting the requirements in relation to consent to be ‘challenging’ or ‘extremely challenging’.
Since the introduction of GDPR in May 2018, individuals appear to be more aware and keen to exercise their rights, with 56% of businesses reporting an increase in data-subject requests since the introduction of GDPR.
Appointing a DPO
A total of 68% of respondents (many of which are organisations for whom a DPO is mandatory) have appointed a data protection officer (DPO), and of those organisations, 52% in-sourced the appointment of their DPO, while 16% chose to outsource.
34% of organisations who appointed a DPO said they found it was ‘not at all difficult’ to source and appoint a DPO, while 32% found it ‘very difficult'.
Another positive trend is the seniority of the role, with 62% of organisations saying that their DPO would report to C-Level executives, including the CEO.
Where to next?
With 56% of firms reporting that GDPR compliance has placed an excessive administrative burden on their organisations, further investment will be needed to ensure that ongoing compliance is sustainable.
Businesses relying on manual processes will need more automated solutions, since labour-intensive maintenance of active records of processing are identified as areas of concern from an enforcement perspective.
Looking ahead, 84% of companies said that they would implement IT solutions to support the delivery of, and demonstrate their compliance with GDPR. Of the 84%, a total of 30% expected to invest between €50,000 and €250,000 in implementing these IT solutions.
On future plans for GDPR in light of Brexit, 50% say that they are waiting for further developments before they make a post-Brexit plan.