The introduction of GDPR has not yet led to a substantial improvement in organisations’ understanding of their data according to a poll out today from ICSA: The Governance Institute and recruitment specialist The Core Partnership.
The poll reveals that the majority of organisations surveyed (42%) feel that their understanding of data has stayed the same since GDPR was introduced. Some 39% of respondents believe that their understanding has improved significantly, however, while a further 17% think that is has improved slightly.
Some of the positives cited as resulting from the implementation of GDPR are:
- Much more awareness of data issues than was previously the case
- It has forced the organisation to review and update procedures right across the board and identified many gaps
- It has made us cull our databases significantly
- The law change has given our legal colleagues a seat at the table to ensure compliance is taken seriously not only when dealing with customers but right upstream as new processes/systems are being designed
- Greater understanding of security of my own personal data in my personal life.
Some of the more negative comments include:
- GDPR is a hassle and hasn’t advanced business. It’s only increased overheads
- Huge burden on resources
- GDPR has created much extra work for little extra benefit
- Data subject access requests are taking a disproportionate amount of time and money to resolve
- Significant compliance burden with no clear additional benefit to data subjects. The previous legislation seemed more than adequate.
According to Peter Swabey, Policy and Research Director at ICSA:
‘Some organisations feel that GDPR has added cost and complexity and that a sledgehammer has been used to crack a nut in terms of what GDPR has actually achieved. Others feel that it has helped them to clarify and make more efficient the systems and processes that use personal data. While GDPR has undoubtedly increased the compliance burden and costs, there are also benefits in that the profile of properly holding and protecting data has also significantly increased. While GDPR has concentrated people’s minds on personal data, it is a continuing obligation whose burden is yet to be fully felt. It should also be remembered that obligations under the UK’s Privacy and Electronic Communications Regulations (PECR) are of equal importance and it is important that organisations understand the interaction between GDPR, PECR and the Data Protection Act 2018.’