Two studies show most firms unready for GDPR deadline

A majority of legal counsels around the globe think their firms are not prepared for Europe’s new General Data Protection Regulation (GDPR), a study by consultancy KPMG International and law firm directory The Legal 500 has reported.

Financial firms fare no better; one in two investment firms globally will not be ready for GDPR before the looming deadline, according to a survey of more than 279 financial firms made by Cordium, a governance, risk and compliance services firm, partnered with AmberGate, a data protection advisory.

More than a third of financial firms (34%) said they have not even begun preparing for GDPR, the Cordium study, carried out in April, reported.

Just 2% of firms around the globe have finished putting the correct procedures in place, with just 30 days to go before GDPR’s 25 May compliance deadline, the same research indicated.

Some 54% of legal counsels felt their businesses were not prepared for the new European law, enforceable for any firm worldwide doing business with European customers, according to KPMG’s study of firms with a median $4.3bn in annual revenues.

Only 10% of legal counsels across the 448 organisations surveyed by KPMG have checked whether third-parties – including data handling firms – comply with the new European data regime.

One respondent within a technology media and telecoms company, commented: “The real difficulty with GDPR is working out which third-party relationships might get us into difficulty.

“Knowing how our commercial partners use data is a critical part of our compliance strategy but it is very difficult to monitor effectively,” the unnamed general counsel added.

At organisations where data security and cyber risk are not considered matters for senior management, only 13% of senior legal counsel felt prepared for GDPR.

Some 63% of counsels said their firm had already appointed a dedicated data protection officer or local representative within the EU.

Meanwhile, Cordium’s study of financial firms showed 59% were unprepared to comply with the required 72-hour window to report a breach of customer data to regulators, and 64% were unprepared to respond to an exercise of data subject rights.

Asset managers make up 38% of the 279 responses, and hedge funds another 27%, while private equity funds composed nearly 15%; almost 70% of firms taking part had European operations.

Michael Corcione, head of cyber security and data protection at Cordium, said: “Companies that have not yet started their GDPR programme – or those still at the early stages – expose themselves to significant compliance and reputational risk.

“With just a four-week window firms should be practicing these procedures, not defining them,” he added.

KPMG’s study outlined six common pitfalls lying between many firms and GDPR compliance.

• GDPR affects all parts of the organisation, which can frustrate efforts to determine responsibility and accountability. Implementing policies across the organisation was named as the top challenge by about one in five respondents.

• While the legal team is central to preparation efforts, success depends on its ability to work with other departments to map issues and develop solutions.

• The GDPR regime is based on principles rather than prescriptive rules, and interpretation of legal requirements and obligations can be difficult in the absence of precedents or additional guidance.

• GDPR compliance requires understanding and control over all of the IT systems and processes for handling personal data collection – including data that may be hidden in legacy architecture and systems.

• Few organisations have sought to understand the risks arising from the actions of third-party suppliers and other commercial partners; only 10% have made contact to check third-party compliance with GDPR.

• Finally, most organisations have struggled to identify all data processing activities or gain a broad internal overview of their processes. For GCs, this has made compliance a continually moving target.

Writing in the report’s foreword, Juerg Birri, global head of legal services at KPMG International, commented: “Companies that do not get compliance right risk fines of 4% of global turnover or €20m, whichever is greater. Regulators have made it clear that they intend to fully flex their powers to enforce the regulation.

“Compliance with GDPR aside, no business wants to face the reputational fall-out of failing to protect their customers’ personal information – as the WannaCry, Cambridge Analytica and far too many other breaches show,” Birri added.