Technology enables organisations to collect and process ever larger amounts of personal data. At the same time, society and politics have become more critical of the amount of personal data collected and processed.
The protection of personal data plays an increasingly important role within organisations. The more so because as of May 25, 2018 new European privacy legislation (the General Data Protection Regulation or GDPR) will impose strict rules on personal data protection on both European and non-European organisations. In case of non-compliance, the GDPR foresees penalties of up to 4% of an organisation’s global annual turnover or EUR 20 million, whichever is highest. In short, as of May 25, 2018, the absence of adequate measures to protect privacy will become a real risk for organisations.
In November 2016, PwC and Law Square invited Belgian organisations to participate in a survey of privacy governance maturity. On the occasion of the European Privacy Day (January 28) the conclusions of this survey were published. The results of the survey (120 respondents) give insight into how Belgian organisations are dealing with the issue of privacy, why they think it is important, what they are doing about it and how they are dealing with the new regulation.
The results clearly show that a majority of Belgian organisations are still working to prepare for the new European rules, or have yet even to start. Many of them have yet to carry out a risk assessment of the processing of personal data within their organisation. 40% of the organisations polled have not yet set up a privacy programme or strategy. Only 30% have assessed compliance with the current Belgian Data Protection Act at all, let alone doing this on a regular basis.
The research also shows that the employees of organisations are currently not or insufficiently trained about the importance and risks linked to privacy governance. About 45% of the organisations have not trained their employees on the subject of privacy during the last twelve months.
The results also indicate that organisations are hardly aware of the value of GDPR seals and certifications. However, these tools can contribute to creating trust and to demonstrating their GDPR compliance.
Surprisingly, 67% of the respondents indicate that their organisations already take the ‘privacy by design’ principle into account upon implementing new systems. Another interesting insight is that the organisations active in regulated sectors seem to be in a better shape with regards to GDPR readiness. This is probably because they already have more strict and mature procedures and controls in place in the areas of their daily operations, information security and compliance.
At the end of 2017, we plan to do a follow-up survey. Even though the starting date of the new European regulation (May 25, 2018) may seem a long way off, the complexity and the number of measures to be taken to comply with the GDPR should not be underestimated. Not only from a technical point of view but also due to the cross-departmental impact (among others for the business, and in the legal and IT departments) on organisations. In addition, the sustainability of these GDPR related implemented measures should also be ensured.