The way global companies handle data changed dramatically on 25 May 2018, when the European Union’s (EU) General Data Protection Regulation (GDPR) came into force. Designed to address concerns over the security and use of personal data, GDPR applies to data processing activities regarding personal data within Europe as well as data transfers within the EU and between the EU and non-EU countries. It is likely to become the global benchmark for protecting personal data.
A recent global study called The GC’s Guide to GDPR conducted by The Legal 500, in association with KPMG International, of General Counsels (GCs) across 448 institutions, showed interesting information around the confidence of GCs in implementing GDPR, with a majority of businesses revealing that they weren’t ready for GDPR, which came into force 25 May.
Throughout the process, legal teams have been made responsible for preparing compliance measures for GDPR and the stakes are high. Those that do not perform compliance tasks correctly may face fines of up to 4% of global turnover. The question is, are legal teams and GCs working efficiently to prepare their organisations for the challenges of the new regime?
Over a fifth (21%) of respondents said implementing policies across all divisions of their organisation or group was the biggest challenge they faced.
Surprisingly, the research demonstrates a varied level of compliance and confidence in compliance of businesses, across the EU and other markets.
GDPR is EU legislation, but applies to all businesses internationally that manage or handle data of persons in the EU. Respondents in non-EU jurisdictions, such as Brazil (52%) Russia (44%), Australia (51%) and the USA (51%) were, on average, more likely than EU respondents, to feel prepared for GDPR.
The survey shows that, even those organisations located within the EU, have a high degree of misplaced confidence when it comes to assessing their GDPR preparedness.
Lawyers leading on GDPR compliance
Legal teams are in the driving seat when it comes to GDPR compliance and GCs are at the heart of the process. In fact, GCs are more likely to be responsible for setting data protection compliance policies than any other function leaders across the organisations surveyed.
A mere 13% of GCs also believed they were prepared for the implementation of GDPR, when the topic of data security and cyber risk is not the concern, or priority, of senior-management.
GCs were also responsible for setting data protection compliance policies at over a third (34%) of organisations surveyed, compared to the role of chief compliance officer at only a quarter of the organisations. This can be challenging at times as GCs lack wider support from the business to ensure that their companies remain GDPR compliant. A GC of a consumer goods company noted, that:
“A lot of GCs are almost victimised by their organisations over this. If your IT teams won’t talk to you and show you the systems – either because they don’t see it as their job or they are not properly incentivised – then you can’t really do much.”
For those appointed to the role of data protection officer (DPO), getting an overview of the various data collection and processing systems across their organisation has been and will continue to be a challenge. This challenge is particularly pronounced at multinationals where staff operate in many different jurisdictions, each with its own data protection regulations.
Establishing global data protection standards will be challenging for many organisations. The study found that just under half (47%) of organisations said data privacy was managed by a single, centralised function, while over half (55%) said they had put in place a single, global data protection standard.
Different jurisdictions for multinationals will have varying priorities and challenges. Over a fifth (21%) of respondents said implementing policies across all divisions of their organisation or group was the biggest challenge they faced.
The study also showed that a number of GCs believed the best solution to the challenge of GDPR is to make the most of it and focus on the solutions it presents.
KPMG is a multinational organisation, so we appreciate the challenge this brings. For example, GCs from the UK and Ireland responded that updating systems and changing the way in which the organisation stores data, so that new rights such as the right to be forgotten can be implemented effectively, is seen as the biggest challenge, while ensuring ongoing compliance with GDPR was the top priority for businesses in Germany.
Board Responsibility in Cyber
Above all, the research made it apparent that the topic of data security, specifically the concern regarding data security from board members of businesses, is of utmost importance. GCs have shown that in order to avoid risks, data security must remain at the top of the agenda for businesses.
A mere 13% of GCs also believed they were prepared for the implementation of GDPR, when the topic of data security and cyber risk is not the concern, or priority, of senior-management. In order to mitigate risks and ensure success, board engagement is beneficial at every stage to ensure GDPR compliance. This is evident through the comparison made between the organisations where board members are giving GDPR the necessary attention, as supposed to those who do not. For example, in the more attentive organisations, 69% have appointed at least one DPO, versus a mere 27% in those less concerned with GDPR.
Businesses both within and outside the EU, have seemingly overlooked the risk that third-parties, such as commercial suppliers pose to GDPR compliance. This is another major risk to large businesses, as only 10% have surveyed whether these third-parties are even in compliance with GDPR, before transmitting personal data to them. These are just a few examples of the potential risks at hand and why they must be given attention.
GDPR is a good opportunity to win trust
For all the risk, GDPR is a good opportunity to win consumer trust, examine closely how personal data is collected and stored, and prepare for a world where this data will become increasingly valuable. The study also showed that a number of GCs believed the best solution to the challenge of GDPR is to make the most of it and focus on the solutions it presents. In an age where data is king, storing and managing customer data appropriately is a business advantage. This can be an opportunity for GCs and businesses to differentiate themselves too, if done correctly – and many organizations are reaping rewards from managing their data effectively.
Jürg Birri, Global Head of Legal Services at KPMG International
Jürg Birri joined KPMG in Switzerland as a Partner in 2011 and heads the Legal Practice in Switzerland. He is in charge of a large team of lawyers and professionals who specialize in business law, private clients and financial market law. In addition, Jürg holds the role of Global Head of Legal for KPMG International since October 2016. As such he is responsible for the development, networking and market positioning of KPMG Legal services at global level. KPMG member firms may render legal services where authorized by law, with full observance of relevant local regulations. Legal services may not be offered to SEC registrant audit clients and/or affiliates or where otherwise prohibited by law.
As Partner for KPMG in Switzerland, a strong focus of Jürg’s work is on private clients. This includes in particular the analysis of financial products from tax and legal aspects as well as the tax-efficient structuring of assets, succession and estate planning. Furthermore, Jürg is engaged in the international regularization of undeclared assets in Swiss bank accounts. Due to his experience in the private banking sector he advises the banks management and the bank’s customers in the transformation process from an offshore to an onshore banking model.