According to research from the Direct Marketing Association (DMA), just over half (54%) of businesses say they are on course or ahead of plans to be ready for GDPR implementation on 25 May 2018, admittedly down from 68% in February. 24% said they were yet to even start a plan.
The third chapter of the DMA’s GDPR and you research series found many companies fearful that new guidance from the Information Commissioner’s Office (ICO) and others may penalise those most prepared.
DMA board chair Mark Runacus told PrintWeek: "GDPR is not just a compliance or legal issue, it's no longer good enough for organisations to be comfortable being just the right side of the law.
"The new laws should be something that all businesses act on, and more importantly they should use them as an opportunity to truly transform their customer relationships; to put transparency and honesty at the heart of everything they do."
DMA chief executive Chris Combemale said he feared recent announcements from the ICO have caused concern that interpretation of the laws is overly strict.
“What industry needs is balanced and fair guidance from the ICO and Article 28 Working Party. With just 12 months to prepare we need this guidance urgently if we’re expected to be ready in time,” said Combemale.
The regulations, which were first put forward by the EU in January 2012 and were approved in April 2016, are set to replace the UK Data Protection Act 1998. Despite murmurings that Brexit would render them useless, the contents will now be implemented in the UK.
The regulations will, amongst other things, mean non-EU businesses will have to comply if doing business with EU companies or processing EU citizens’ data, give data processors direct legal responsibilities, carry huge fines for data breaches and bring in tougher rules to obtain consent data.
In its most recent guidance in preparing for the changes, the ICO has issued 12 steps. These include making decision makers aware that the law is changing, documenting any personal data currently held, designating a data protection officer to take responsibility for client data and initiating a review of how companies seek, manage and store consent.