Fewer Than One-Third of Companies Ready for GDPR Deadline

Majority of EU recruiters say they’re prepared for the data privacy changes

Roy Maurer By Roy Maurer May 24, 2018
Fewer Than One-Third of Companies Ready for GDPR Deadline

​Only 29 percent of organizations worldwide will be ready for the new global data privacy standard coming into effect May 25, according to a new survey conducted by technology association ISACA.

The European Union (EU) General Data Protection Regulation (GDPR) introduces sweeping changes to data privacy laws for employers dealing with anyone in the EU, including a number of new individual rights and employer obligations that may require significant changes to internal HR systems and processes.

The European Commission released a website to help businesses with implementation.

Not only did most of the 6,000 business technology professionals surveyed by ISACA say they were unprepared for the deadline, but only around half (52 percent) expect their companies to be compliant by the end of the year, and 31 percent do not know when they will be fully compliant.

"Employee awareness and education are critical components of ongoing GDPR compliance," said Chris Dimitriadis, chair of ISACA's GDPR working group. "Awareness of—and commitment to—well-defined security, data management, and privacy policies and procedures clearly need to be an integral part of every organization's culture, from the top down."

Melissa Dials, an attorney in the Cleveland office of Fisher Phillips and a former corporate counsel and compliance officer for a multinational company, said, "Despite U.S.-based multinationals spending millions of dollars and thousands of hours preparing for GDPR since it was announced two years ago … more than half of U.S. employees have never heard of the regulation."

On the other hand, the results from another survey from recruitment software firm Lever show that 70 percent of people (mostly in the EU) directly involved in preparing their organizations for GDPR-compliant recruiting operations feel confident in their ability to achieve compliance by the deadline. Lever surveyed 500 talent acquisition, HR and IT professionals across the EU (84 percent of respondents were from the EU) and the United States.

Most (61 percent) are concerned, however, about how the new regulations will impact their recruiting and hiring processes.

Organizational Concerns

According to ISACA's research, the top five challenges related to GDPR compliance are:

  • Data discovery and mapping (59 percent).
  • Prioritizing GDPR compliance among other business needs (47 percent).
  • Organizational education and change programs (45 percent).
  • Ensuring cross-departmental collaboration and buy-in (42 percent).
  • Preparing for candidate and employee access or deletion requests (37 percent).

Cost was the seventh-highest concern, at 32 percent.

The good news is that the majority of executive leaders recognize the importance of GDPR and its implications. According to the ISACA data, 69 percent believe their organization's executives have made becoming GDPR-compliant a priority.

"GDPR awareness at the executive level is certainly widespread at this point, with the deadline for compliance approaching," said Neal Dittersdorf, general counsel, privacy officer and corporate secretary for recruitment software firm iCIMS. "GDPR represents a significant and comprehensive change in the way companies will manage personal data, and HR plays an important role in rolling out new policies and processes to adhere to ensure compliance."

Respondents to the Lever survey focused on recruiting were either "very concerned" or "extremely concerned" about specific requirements, such as:

  • Maintaining full records of recruiting processing activities (52 percent).
  • Determining when to get consent from candidates (50 percent).
  • Determining how long to store a candidate's personal data before deleting it or obtaining consent to keep it (47 percent).
  • Selecting software vendors who will enter into GDPR-compliant contracts and meet data security requirements (46 percent).

Lever's research also revealed that some organizations are unsure how to adhere to regulations related to candidate data. Employers must identify a lawful basis for processing personal data under the GDPR. For recruiting, the most common lawful bases are "getting consent" and "legitimate interest," but determining which one applies is one of the murkier areas of the new law.

"This is a difficult problem," Dittersdorf said. "On one hand, a well-framed and valid consent that complies with GDPR is an effective mechanism for lawful processing. On the other hand, some officials have cautioned against reliance on consent in the employment context. Each company, perhaps using a combination of legal and compliance resources, needs to make a judgment about how consent fits into the recruiting process."

Another grey area in the GDPR is determining how long to store candidate data. Article 5 of the regulation states that personal data should be kept only for "no longer than is necessary for the purposes for which the personal data are processed," but it doesn't specify exactly what retention should be, and the question of whether to delete candidates' personal data or seek consent in order to continue storing it is left up to employers.

Twenty-five percent of respondents to the Lever study said they will decide whether to delete or ask for consent after three months, while another 23 percent said their retention period will be a year or longer and still another 23 percent said they will make that decision when the job closes.

Training and Education

Among the ISACA survey's most concerning findings is that only 39 percent of respondents said their organizations' employees have been educated to a satisfactory level about their responsibilities to maintain GDPR compliance.

"Given the complexity, it's taken most organizations considerable time to translate GDPR into actionable programs across gap analysis, risk mitigation plans, remediation across policies, processes, contracts and systems, and finally, communication," Dittersdorf said. "Since communication is typically the last phase of these types of endeavors, we're not surprised to see the lack of training across an employee population so close to the deadline. Employees can expect lots of training after the deadline."

GDPR compliance is everyone's responsibility, and, in fact, the law requires that companies train their workforces on how to handle personal data, Dials said.

She added that for training to be effective, it should begin at the top with a demonstrated commitment to creating awareness and a compliant culture, and online training should be supplemented "with in-person role-based training tailored to meet each functional area's unique requirements."



Hire the best HR talent or advance your own career.

Member Benefit: Ask-An-Advisor Service

SHRM's HR Knowledge Advisors offer guidance and resources to assist members with their HR inquiries.

SHRM's HR Knowledge Advisors offer guidance and resources to assist members with their HR inquiries.



HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.