Many organisations had to hire additional staff or employ external consultants due to internal resource issues. Even when work was outsourced, sometimes at considerable expense, it was not necessarily problem free with one respondent stating that ‘We engaged external solicitors but they themselves saw in increased workload, which reduced their response time for us’. This was reinforced by another respondent who revealed that ‘Our issue was mainly one of resource. We started the exercise last summer but the data mapping took months. By the time we were ready to analyse it with our lawyers, they themselves were inundated and took some time to produce our GDPR readiness report.’
One critic bemoaned the fact that ‘Tech resources have been diverted from business improvements to compliance at a time when a UK company should be focussing on using technology to improve productivity and drive the business forward.’ Several respondents struck a more positive note, stating that ‘It has taken a considerable amount of time, but has provided us with a good opportunity to review contracts and arrangements with external suppliers’ and ‘It will improve our approach to data handling and ensure that our housekeeping is much better. It is definitely a good thing, but, for an SME with limited resources, implementation has been quite painful.’
Resource issues and outstanding issues with third party contractors contributed to the delay in hitting full compliance. Just 50% of organisations were fully compliant with GDPR when the new EU data protection regulation came into force on 25 May. Some 27% admitted to not being fully compliant in time, with the remaining 23% unsure.
According to Peter Swabey, Policy and Research Director at ICSA: The Governance Institute:
“Achieving full compliance has been extremely time-consuming for many organisations and there is some concern that ongoing compliance will continue to be burdensome. Many of the areas that were named as being problematic – coordination between jurisdictions; group-wide solutions; third-party engagement; and staff training – will continue to be of importance and will require organisations to review processes and procedures on an ongoing basis. It is important for organisations to keep in mind that 25 May was just the start.”