Three quarters of organisations could be struggling with General Data Protection Regulation (GDPR) compliance, a year on from its introduction.

Crown Records Management commissioned Sapio Research to interview 103 senior managers, IT and data professionals in companies with over 250 employees in March, finding that only 23 per cent consider their compliance capabilities around GDPR to be very good.

Just 20 per cent rated their business’s ability to prove that their data collection and processes are GDPR complaint, leaving many at risk of potential fines.

Meanwhile, only 22 per cent of respondents felt that their ability to confirm the identity of people making subject access requests was strong. Their ability to effectively redact information from documents if required was also a challenge for most, highlighting the need for better control over data and improved processes and systems to support GDPR compliance.

More broadly, close to half of respondents felt that their organisation’s data storage methods were in need of improvement and attention (46 per cent), closely followed by data retrieval processes (44 per cent) and data storage and protection (43 per cent).

A lack of visibility of crucial personal data is leaving many businesses failing to meet the regulation. Less than a quarter of organisations (24 per cent) felt their ability to provide all personally identifiable data if required was very good. Firms also seemed to be struggling to meet deadlines, with only 27 per cent of respondents saying their ability to provide data within the timeframe if required was up to scratch.

Kevin Widdop, information security consultant at Crown Records Management, said it was concerning that businesses are still struggling to implement effective records management processes, leaving them open to potential fines. “Companies have clearly implemented GDPR policies but have failed to put the building blocks in place to live by them.”

Kellie Peters, director at Databasix, added that over the last 12 months organisations have gained awareness of what GDPR is, but not necessarily what’s involved with implementing a successful GDPR procedure.

“It’s important to understand where your data is because if you receive a Subject Access Request, you only have 30 days to provide the information – therefore, it’s crucial you have full visibility of what data you’re holding and where.”

Share Story: