Are you expecting GDPR fines? Nearly half of marketing businesses are …

The GDPR is almost upon us, and you’ll probably have noticed a deluge of emails from companies about changes to their privacy policies and terms and conditions.


With two weeks to go, businesses are running out of time if they want to comply with the regulation by May 25th. We have been monitoring confidence levels among firms on the blog for several months, and recent surveys reveal many organisations still aren’t prepared for deadline day.

Organisations scramble to comply as deadline looms

On May 1st, data technology provider, Ensighten, published a survey showing 45 per cent of marketers expected their departments to incur GDPR-related fines.


Seven percent of those surveyed hadn’t begun any preparations for the regulation, while 61 per cent said they would ask for an extension on the deadline if this were available.


“Unfortunately, we found that brands are aware, but still uncertain in their final month of GDPR preparation,” said Ian Woolley, Chief Revenue Officer at Enlighten.


Marketers aren’t the only professionals concerned about their GDPR readiness; many financial services organisations are also struggling to meet the appropriate timelines.


Research from Cordium and AmberGate discovered that over half of investment firms claimed they wouldn’t be ready for the regulation’s introduction.

The biggest GDPR compliance challenges

The biggest compliance challenges appear to be regarding reporting breaches and exercising data subject rights.


GDPR requires organisations to inform regulators of a personal data breach within 72 hours of becoming aware of the incident. Enterprises must also inform individuals who have been affected by the breach if it is likely to have a negative impact on their rights and freedoms.


Complying with the 72-hour reporting window will be a problem for 59 per cent of investment firms, according to the Cordium and AmberGate research. However, data subject rights are giving businesses even more issues.


Under the GDPR, an individual has much more awareness over how their data is used. People will have better access to their information and can request that data controllers erase or rectify details in a much simpler way. Nearly two-thirds of investment firms believe they will not be fully compliant with the new rules by May 25th.

What penalties might non-compliant firms face?

The potential penalties for GDPR failings have made headlines in recent months, with non-compliant firms facing a fine of up to €20 million or four per cent of revenue, whichever option is higher.

It should be stressed, however, that this is the maximum penalty and will only be handed down for the most serious breaches. There are two tiers of fines, with a lower maximum of €10 million or two per cent of revenue, for less severe incidents.


The ICO has also stated that they are more likely to work with organisations to improve compliance, as opposed to handing down maximum fines, aside from in worst case scenarios.


Corporate governance departments should therefore ensure they allocate sufficient resources to GDPR compliance, both in the run-up to May 25th and beyond, in order to avoid fines and maximise potential strategic benefit.


Contact me on 0207 936 2601 or via email at to discuss your data privacy and information security recruitment needs.


Our 2018 Market Reports combine our review of the prevailing conditions in the security & resilience recruitment market with the results of our latest employer survey.


Image credit: Tanaonte via iStock