UK Firms on GDPR Hiring Spree but Gaps Persist

UK Firms on GDPR Hiring Spree but Gaps Persist

Only two-thirds of UK firms are set to hire new permanent employees to deal with EU data protection laws coming next year, as several new reports reveal ongoing gaps in compliance.

Recruiter Robert Half polled 400 UK directors to find 66% were planning to bring in permanent and 64% temporary staff.

It claimed demand for permanent project managers (33%), business analysts (26%) and data protection officers (26%) will increase.

However, the requirement for a DPO is mandatory in the new EU General Data Protection Regulation (GDPR) and firms who don't appoint one could incur a maximum fine of €10m or up to 2% of global annual turnover.

In addition, just six of the top 20 biggest social media, software, financial technology and internet companies with EU operations contacted by the FT said they had already appointed a board member responsible for data protection.

Ideally a DPO or similar should already be in place to help co-ordinate compliance efforts ahead of the May 2018 deadline.

In fact, a quarter (28%) of large UK enterprises have yet to start, or have barely started, compliance efforts, with even fewer (22%) identifying as fully prepared, according to a CA poll of over 100 firms with 5000 employees.

Steve Durbin, managing director of the Information Security Forum (ISF), argued that the GDPR is the “greatest shake-up in privacy legislation that we have seen”, and will need organizations – especially in the tech sector – to invest in additional skills.

"It requires organizations to provide individuals with access to their personal data and then allow them to request that the data be corrected, moved to another service provider, or deleted altogether,” he added.

“This is key for the tech industry; regardless of potential cost, they must match the efforts of other industries to ensure the needs and wishes of its consumers are met."

There is an extra burden particularly on cloud service providers (CSPs), which have not previously been covered by data protection laws.

However, the new GDPR applies both to the data controllers that collect personal data on EU citizens, and the “processors” – including the CSPs – which service these companies.

Source: Information Security Magazine