Non-compliance with GDPR could put organisations out of business


30 April 2017

Research findings from information management company Veritas Technologies has revealed that 86 per cent of organisations worldwide are concerned that a failure to adhere to the upcoming General Data Protection Regulation (GDPR) could have a major negative impact on their business.

According to the research, nearly 20 per cent said they fear that non-compliance could put them out of business. In Singapore, the numbers are higher than the global average, with 92 per cent of all local organisations expressing concerns over the potential GDPR fallout, along with 20 per cent who fear that their business could shut down due to non-compliance. This is in the face of potential fines for non-compliance as high as US$21 million (S$29.8 million) or four per cent of annual turnover, whichever is greater.

Intended to harmonise the governance of information that relates to individuals (personal data) across European Union (EU) member states, the GDPR requires greater oversight of where and how personal data—including credit card, banking and health information—is stored and transferred, and how access to it is policed and audited by organisations.

GDPR, which takes effect on 25 May 2018, will not only affect companies within the EU, but extend globally, impacting any company that offers goods or services to EU residents, or monitors their behaviour, for example, by tracking their buying habits. The study indicates that a whopping 47 per cent of organisations globally have major doubts that they will meet this impending compliance deadline. In Singapore, the number beats the global average, sitting at 56 per cent.

“There is just over a year to go before GDPR comes into force, yet the ‘out of sight, out of mind’ mentality still exists in organisations around the world. It doesn’t matter if you’re based in the EU or not, if your organisation does business in the region, the regulation applies to you,” said Mike Palmer, executive vice president and chief product officer at Veritas.

The research findings from The Veritas 2017 GDPR Report, which surveyed more than 900 senior business decision makers in 2017 across Europe, the US and Asia Pacific, also found that more than 20 per cent are very worried about potential layoffs, fearing that staff reductions may be an inevitable outcome as a result of financial penalties incurred as a result of GDPR compliance failures. Similarly, Singapore faces the same sentiments, with 19 per cent fearing potential loss of jobs.

According to the report, companies are also worried about the impact non-compliance could have on their brand image, especially if and when a compliance failure is made public, potentially as a result of the new obligations to notify data breaches to those affected. In Singapore, 20 per cent surveyed fear that negative media or social coverage could cause their organisation to lose customers, slightly above the global average of 19 per cent. An additional 10 per cent, similar to the global average of 12 per cent, are very concerned that their brand would be de-valued as a result of negative coverage.

The research also shows that many companies appear to be facing serious challenges in understanding what data they have, where that data is located, and its relevance to the business. Key findings reveal that many companies are struggling to solve these challenges because they lack the proper technology to address compliance regulations.

Following the global average of 32 per cent, one third (34 per cent) of local respondents are fearful their current technology stack is unable to manage their data effectively, something that could hinder their ability to search, discover and review data, all of which are essential criteria for GDPR compliance.

In addition, 42 per cent of local respondents say their organisation cannot accurately identify and locate relevant data. This is another critical competency as the regulation mandates that, when requested, businesses must be able to provide individuals with a copy of their data, or delete it, within a 30 day time frame.

There is also widespread concern about data retention. In Singapore, 43 per cent of organisations admitted that there is no mechanism in place to determine which data should be saved or deleted based on its value. Under GDPR, companies can retain personal data if it is still being used for the purpose that was notified to the individual concerned when the data was collected, but must delete personal data when it is no longer needed for that purpose.

Veritas’ research found that 18 per cent of local respondents believe their organisation is GDPR ready. On average, local firms are forecasting spending in excess of US$1.55 million (S$2.2 million) on GDPR readiness initiatives.

A sensible next step, said Veritas’ Palmer, would be to seek an advisory service that can check the level of readiness and build a strategy that ensures compliance. “A failure to react now puts jobs, brand reputation and the livelihood of businesses in jeopardy.”