A little while ago A3 Communications commissioned a survey of 100 UK IT decision makers from organisations with a minimum of 1,000 staff, around the much-discussed topic of GDPR. The results of this study became part of the agenda of our second event on this subject in our IT Question Time series of roundtables.
When we first brainstormed possible questions to put to these IT professionals and decided to ask them whether they agreed with the statement ‘When it comes to our organisation's IT infrastructure, we understand the necessary steps to take in order to support the organisation in its mission to be GDPR compliant’ we thought that the answers would be varied. Who wouldn’t? After all the hype around this new regulation, the countless articles offering advice on how to eschew the seemingly unavoidable pitfalls that hung over the heads of IT departments, senior executives and compliance officers come 25th May 2018, the tips on how to get ‘GDPR ready’ - most of the above actually giving conflicting information - you would have been forgiven for thinking that maybe, just maybe, people are a little confused as to what exactly GDPR means for their organisations.
But it seems that that is not the case. Apparently nearly all IT departments today are clear on the steps they need to take in order to help their organisations be GDPR compliant. In fact, an astonishing 99% of respondents (strongly) agrees with the statement ‘When it comes to our organisation's IT infrastructure, we understand the necessary steps to take in order to support the organisation in its mission to be GDPR compliant.’ Ninety-nine percent. That’s virtually everyone. And with 43%, nearly half is so confident about their understanding of the subject that they said that they ‘strongly agree’ with our statement. If you’ve been in the industry long enough to remember basel II, you will also remember quite how long it took for people and organisations to get their heads around it. For context, the only respondent who disagrees is from an organisation in the business and professional services sector, with 1,000 to 2,999 employees (industries polled were business and professional services, financial services, IT, retail, distribution and transport, manufacturing, and other commercial sectors).
So if this figures are indeed indicative of the country’s understanding of what GDPR means and entails for IT departments, does this mean that the millions of words written and spoken about this subject have been effective in educating IT professionals? Have all the papers published by the ICO been worth it? Has the advice of respected commentators such as Renzo Marchini at law firm Fieldfisher been taken on board? Our survey would say so. What it doesn’t tell us is whether these respondents have taken the necessary steps to make their organisations GDPR compliant. Because understanding what you are required to do in order to achieve a goal is one thing, but to put that into practice is another. In fact, panellists and audience alike at our latest IT Question Time roundtable, were highly skeptical of the above results, with someone even asking ‘I'd like to know what they've been taking!’ referring to the respondents.
But let’s take a closer look at how this confidence is spread among the various industries. The financial services market was the one to most strongly agree with our statement, at 55%. It was followed by retail, distribution and transport, at 46.7%, business and professional services, manufacturing and other commercial sectors all at 40%. In the last spot with 30%? Can you guess? It was respondents from the IT industry. Indeed they were the smallest group to select ‘strongly agree.’ Is this a sign that after all, if technology is your bread and butter, you might be aware that becoming GDPR compliant is not that straightforward?
Things, however, get even more interesting. If we look at the ‘agree’ split, respondents from the IT industry were the largest group, with an impressive 70%! Meaning they were the fewest to strongly agree, but the most to agree. Behind them in the ‘agree’ box are manufacturing and other commercial sectors at 60%, business and professional services at 55%, retail, distribution and transport at 53.3%, and financial services at 45%.
The split between organisations of different sizes also reveals an interesting picture: when it comes to organisations with 1,000 to 3,000 employees the percentage of respondents who strongly agree (48%) is marginally lower than that of those who simply agree (50%). However in larger companies, namely with more than 3,000 employees, the groups are reversed and the split is much more marked, with 38% strongly agreeing and 62% agreeing. Could the latter pair of figures be due to the same reason why in the IT industry we have the lowest number of respondents strongly agreeing? Could it be that the larger or more knowledgeable the IT team, the more reticent they are to strongly agree with our statement? Is there something they know that other IT professionals don’t?
Complying with GDPR from a technology point of view, requires significant investment of resources this could be one of the reasons why respondents from organisations that might have enlisted the help of advisors such as law firms and IT consultancies are more likely to agree than to strongly agree with our statement. There is also the issue of responsibility, especially today when despite a trend towards cloud repatriation large volumes of data are still stored in third party locations. If an organisation fails to comply to GDPR does it have any come back on its advisors or suppliers? Does the buck stop with service providers?
At a time when lack of compliance can lead to fines that run into millions of dollars, could it be that the more you look into GDPR, the more you realise you are not ready for it? And if knowledge is power, is a little knowledge still a dangerous thing?