With only a few weeks until the European Union’s General Data Protection Regulation (GDPR) goes into effect, many businesses are finding themselves at risk of missing the deadline and facing hefty fines.
According to a recent study conducted by Cordium and AmberGate, more than 50 percent of investment firms globally are unlikely to be ready in advance of the regulation’s implementation date – May 25, 2018.
The study, which polled over 250 financial firms, revealed a striking lack of preparedness across the financial marketplace, with just 2 percent of surveyed firms stating they had implemented GDPR policies and procedures.
Furthermore, 59 percent of firms said they were unprepared to comply with the required 72-hour window to report a personal breach to regulators; and 64 percent said they were unprepared to respond to an exercise of data subject rights.
For companies who have not yet started their GDPR program – or are still in the early stages – missing the deadline could expose them to “significant compliance and reputational risk,” warned Michael Corcione, Managing Director, Cybersecurity and Data Protection Consulting Services at Cordium, in a press release.
“Lack of readiness is due to a failure by firms to understand their exposure to the regulation, as well as MiFID II’s earlier deadline, leaving GDPR to fall down the priority list. With just a [two-week] window, firms should be practicing these procedures, not defining them,” said Corcione.
When asked which area generated the most pressure to comply with GDPR at the moment, most respondents (45 percent) said it came from their own internal governance functions. Regulatory pressures followed closely at 39 percent, while 15 percent of respondents cited investors and customers as the source of the most pressure.
“This GDPR compliance pressure from investors and customers is likely to rise post-deadline – particularly as firms move into the fundraising part of their business cycle,” read the report (PDF).
“No firm wants to have to tell an investor or customer that their GDPR compliance program has gaps, or that their overall approach to data security and privacy is not robust. Already, many firms are seeing queries come in from investors and customers about their relative state of GDPR readiness.”
Robert Baugh, Founder and CEO of AmberGate, added: “Many firms will now need to divert significant resources and time to the project – there is clearly still much to do across most organisations.”