The way global companies handle data is set to change dramatically on 25 May 2018, when the European Union’s (EU) General Data Protection Regulation (GDPR) comes into force. Designed to address concerns over the security and use of personal data, GDPR will apply to data processing activities regarding personal data within Europe as well as data transfers within the EU and between the EU and non-EU countries, and it looks likely to become the global benchmark for protecting personal data.
Legal teams are front and center as companies get ready to comply with GDPR, and the stakes are high. Companies that do not get compliance right risk fines of 4% of global turnover or €20m, whichever is greater. Regulators have made it clear that they intend to fully flex their powers to enforce the regulation.
Compliance with GDPR aside, no business wants to face the reputational fall-out of failing to protect their customers’ personal information – as the WannaCry, Cambridge Analytica and far too many other breaches show.
How are legal teams working with businesses to prepare for the new regime, and are they confident they will be ready? KPMG International sponsored The Legal 500 to find out.
The results of a survey of 448 legal counsel and in-depth interviews with over 30 senior general counsels, set out in this report, combine to offer a view of the state of GDPR implementation worldwide. The countries, regions and jurisdictions covered in this survey – Australia, Brazil, Germany, Ireland, Italy, Russia, Spain, Taiwan, United Kingdom and United States – cover a range of key markets, both within and outside the EU.
The results of this survey reveal that legal teams face significant hurdles as they seek to implement a data protection management system that allows them to continue operations and capitalise on the valuable data they hold. Among the biggest challenges respondents faced:
- GDPR affects all parts of the organisation, which can frustrate efforts to determine responsibility and accountability. Implementing policies across the organisation was named as the top challenge by about one in five respondents.
- While the legal team is central to preparation efforts, success depends on its ability to work with other departments to map issues and develop solutions.
- The GDPR regime is based on principles rather than prescriptive rules, and interpretation of legal requirements and obligations can be difficult in the absence of precedents or additional guidance.
- GDPR compliance requires understanding and control over all of the IT systems and processes for handling personal data collection – including data that may be hidden in legacy architecture and systems.
- Few organisations have sought to understand the risks arising from the actions of third-party suppliers and other commercial partners; only 10% have made contact to check third-party compliance with GDPR.
- Finally, most organisations have struggled to identify all data processing activities or gain a broad internal overview of their processes. For GCs, this has made compliance a continually moving target.
Faced with challenges like these, only a minority of the legal counsel surveyed feel confident that their organisations have done enough to comply. Fewer than half (46%) of respondents believe their organisations are prepared for GDPR, while under 10% of respondents believe that employees at their organisation are fully aware of their data protection obligations under GDPR and national laws.
This report offers a view of how legal teams are addressing the challenges of GDPR and identifies a number of leading practices for getting organisations systems and processes onside. As legal counsel reported in interviews, the best solution to these challenges may be to focus on the opportunities. For example:
- Demonstrating GDPR compliance can be a good opportunity to differentiate your business by winning more consumer trust and thus competitive advantage.
- GDPR compliance can benefit the organisation’s culture, as stronger governance structures for handling data help mitigate other risks (e.g. security, bribery, corruption).
- More disciplined management of customer data can produce opportunities to build connections with customers and produce better products.
By approaching GDPR as a chance to invest in a leading-edge global data protection management system, KPMG member firm legal teams can help their clients get more control over data and leverage that data to gain more strategic value.
You can read the publication on this survey here.
You can download the survey results PDF here:
KPMG’s Global Legal Services practice is proud to support The Legal 500’s survey to better understand how organisations inside and outside the EU are preparing for GDPR as well as identify challenges they are facing along the way. The KPMG network of Legal Services firms are uniquely positioned to offer advice in this area due to our multi-disciplinary service approach, deep industry knowledge, and global reach. Our legal practices operate in 75 countries with over 1,650 legal professionals.