by Thomas Macaulay

CIOs confident their organisations will be GDPR compliant, 2018 CIO 100 reveals

Apr 25, 2018
IT LeadershipIT Strategy

CIOs are largely confident their organisations will be compliant with GDPR by 25 May 2018, according to the 2018 CIO 100.

Some 70% of organisations and their CIOs said that they were either already compliant (14%), or more confident than concerned (56%), that they have put the correct measures in place to comply with the regulations.

Not all members of the CIO 100 share their confidence, however.

A quarter of the respondents said they were as confident as they were concerned that they would be ready for GDPR, while 4% were more concerned than confident, and a worrying 1% said they were not at all confident or very concerned.

Read next: How CIOs are preparting for GDPR

Information Commissioner Elizabeth Denham advised them to focus on upholding the fundamental human rights around data protection, as GDPR will only be strengthening and enforcing these principles.

“GDPR is an evolution in data protection, not a total revolution,” she said. “It demands more of organisations in terms of accountability for their use of personal data and enhances the existing rights of individuals. If you are already complying with the terms of the Data Protection Act, and have an effective data governance programme in place, then you are already well on the way to being ready for GDPR.

“Many of the fundamentals remain the same and have been known about for a long time. Fairness, transparency, accuracy, security, minimisation and respect for the rights of the individual whose data you want to process – these are all things you should already be doing with data and GDPR seeks only to build on those principles.”

Data privacy lawyer Annabel Gillham told CIO UK that the survey results were encouraging.

She pointed to recent research by Ernst & Young that revealed that the GDPR preparations of many executives are behind even the most concerned members of the CIO 100

Of the 745 executives from 19 countries that Ernst & Young asked about GDPR, 39% indicated that they are not even familiar with the regulation.

Read next: GDPR tips for CIOs: How to ensure compliance with GDPR

“For those who are feeling less confident about GDPR preparedness, it’s time to embrace it!” said Gillham, an attorney at Morrison & Foerster.

“It’s far better at least to have made a start prior to 25 May, even if you are not going to be fully compliant by then.

“It’s worth remembering that the ICO will expect you to have records of data processing, as well as compliant policies at your fingertips. If necessary given the looming deadline, identify the higher risk, data-heavy areas of the business and start there.”

Radius Payment Solutions CIO Dave Roberts told CIO UK that he was embracing the positives of GDPR as a business opportunity.

“GDPR regulation is helping to drive best practice within organisations,” said the CIO 100 member. “The GDPR journey goes beyond the 25 May deadline and should become ingrained into the culture and DNA of the business.

“Good data governance is helping to differentiate organisations, with data now being considered as a critical business asset. It is important that the asset is managed appropriately with a customer-centric view to ensure data privacy is upheld and respected. Organisations that get this right will flourish, those that don’t will cease to be.”

GDPR threats and opportunities

Data protection breaches under GDPR could cause reputational as well as financial damage, but the regulation also offers organisations the chance to enhance their image, build customer loyalty and improve the accuracy of their data.

Denham is keen to promote the positives of GDPR and the message that big fines will be a last resort rather than the norm.

“We pride ourselves on being a fair and proportionate regulator and this will continue under the GDPR,” she said.

“Those who self-report, who engage with us to resolve issues and who can demonstrate effective accountability arrangements can expect this to be taken into account when we consider any regulatory action.”