• Companies will spend 8 hours a day on average, or a full-time employee all day, trawling databases to meet GDPR requirements
• Large companies will spend 60 hours a day on data searches – equivalent to 7.5 employees
• 60% of European companies are not “GDPR ready”, with a quarter (24%) deemed “GDPR at risk” and 36% “GDPR challenged”, indicating potentially tens of billions in fines
• 44% of businesses are “concerned” about ability to be GDPR compliant – but smaller companies demonstrating worrying lack of awareness and may be underestimating risk
• Single subject search identified as the missing link in GDPR compliance

A significant number of EU businesses are sleepwalking towards massive penalties due to a lack of awareness of the scale of the General Data Protection Regulation (GDPR) data collection challenge. This is a central finding of a major report released today by Senzing, the California-based software technology company.

The research – Finding The Missing Link in GDPR Compliance– is based on the views of more than 1000 senior executives from companies in the UK, France, Germany, Spain and Italy. It finds that, on average, a company will get 89 GDPR enquiries per month, for which they will need to search an average of 23 different databases, each taking about 5 minutes. The total time spent simply looking for data per month will be more than 10,300 minutes (172 hours) equating to over 8 hours of searching per working day – or 1 employee dedicated solely to GDPR enquiries.

The issue is even more pronounced for large companies. These expect to get an average 246 GDPR enquiries per month, for which they will need to search an average of 43 different databases, each taking more than 7 minutes. They will spend more than 75,500 minutes per month (1259 hours) which equates to nearly 60 hours of searching per working day – or 7.5 employees dedicated solely to GDPR enquiries every day.

The data collection challenge is exacerbated by a significant proportion of businesses which admit to not being confident about where their relevant data is housed or being able to account for all their databases. More than 1 in 10 (12%) companies say they are not confident that they know where all their data is stored; less than half (47%) are “very confident”. 15% of businesses are not confident that they have accounted for all the different databases containing personal/customer data, with only a third (35%) stating they are “very confident”.

Jeff Jonas, Founder and CEO, Senzing, says: “These findings reveal the true extent of the GDPR compliance challenge. Businesses will be faced with a mountain of data to trawl through – the end result will be a significant time and personnel cost and a great risk of missing records or worse, including the wrong records. Whilst this time requirement is most onerous for large companies, they have greater resources at their disposal. Relative to size, SMEs face a similarly gargantuan task.”

High level of concern over compliance – but the problem is still underestimated by many

Although 44% of companies say they are “concerned” about their ability to be GDPR compliant – rising to 60% in the case of large companies – many businesses are demonstrating a dangerous lack of awareness about GDPR and overconfidence that they will not be affected. Only a third of companies (35%) are aware that the potential financial fines for non-compliance, which in the worst cases can be €20 million or 4% of global annual turnover, are very severe. An alarming 30% say that financial penalties will have no impact at all; 15% say that they “don’t know” about the impact of financial fines.

Smaller businesses appear to have less appreciation for the seriousness of GDPR non-compliance. A greater proportion of large companies than SMEs understand the severity of the impact of the financial fines. 38% of SMEs and 29% of micro businesses recognise that the financial penalties could have a severe impact on them compared to almost half (47%) of large companies.

This divide between the attitudes of large and small businesses is evident in their planning for GDPR. A quarter (27%) of SMEs and half (50%) of micro businesses say their current set up is optimum and they do not need to make any changes to their operations, compared to just 16% of large companies who believe this. On average, 38% of companies do not intend to take any preparatory action. However, 39% plan to overhaul their IT/customer data systems and a further 15% intend to hire data analysts to collect data. Again, larger companies are more proactive; two thirds (64%) will overhaul their IT and a third (33%) will hire analysts.

Jonas comments: “Many businesses appear to be sleepwalking towards a GDPR abyss. The fines that can be levied for non-compliance will be potentially terminal to some organisations and even the largest companies – and certainly their shareholders – will feel a significant impact. A huge number of companies simply don’t understand the dangers of non-compliance – with smaller firms apparently particularly unaware. “The fact there is such a distinction in the level of confidence between large and small companies in their existing data collection set up is disturbing. It suggests strongly to us that SMEs and micro businesses are seriously underestimating the impact that GDPR will have on their systems and are demonstrating misplaced optimism.”

60% of EU businesses “at risk” or “challenged” by GDPR

Based on responses, Senzing calculates that a quarter (24%) of EU companies are “at risk” in terms of being GDPR compliant. A further 36% are deemed “challenged” by the regulation, with only 40% being classed as “ready”. Taken as a proportion of all businesses operating in the EU, this could translate into tens of billions, if not hundreds of billions, of euros in fines.

Jonas adds: “You can’t search what you can’t find. Finding out who is who and where their data is should be the first principle of GDPR compliance. Our worry is that, in investing in systems, processes and personnel, many companies are attempting to reach bases two, three and four without first getting to first base. These findings point towards the fact that the missing link in GDPR compliance is single subject search. Companies are overlooking the urgent need to be able to perform a single smart subject search to find out who is who in their data. Without this, the critical enabler of GDPR readiness, many businesses will be unable to meet the demands of GDPR.”

To address this single subject search gap, Senzing is launching G2 for GDPR. This software was developed to enable organisations to resolve who is who in their data, quickly and cost-effectively, factoring in multiple databases, erroneous inputs, misspellings, duplications and different names and aggregating everything relevant for one data subject. This is designed to facilitate GDPR compliance.