The company Data Legal Drive, specialist in the edition of compliance software with the General Data Protection Regulation (GDPR), has conducted a study on data protection in several areas, including health, education, banking and insurance. The firm has conducted several surveys among structures and professionals who use personal data on a daily basis. Several topics were addressed such as cyber attacks, staff training or the RGPD in the form of several surveys.
A study on data in several sectors of activity and in all types of companies
Within the framework of this survey, 348 professionals shared their opinions. In partnership with Lefebvre Dallos and the AFJE, Data Legal Drive interviewed internal DPOs, external DPOs and lawyers from companies from different sectors: real estate, tourism, industry, trade, communication, law, banking, insurance, education, recruitment. However, the three most represented sectors are: health, public and technology, which correspond to 46% of those surveyed. 3 out of 4 experts come from a private company.
According to the study, the level of maturity of employees is positive, but there is still a long way to go before their role is central to the company. It is stated that awareness around data could be effective if the importance of the RGPD was linked to the particularities of each profession. However, seminars, professional training and e-learning are not widely used by organisations, which currently prefer to use e-mailing and newsletters (17%), intranet and internet networks (18%) and meetings with management (27%) to educate employees about the RGPD.
A general point on the RGPD in 2021
The study wanted to make a general point on the RGPD in 2021. Approximately one company out of two evokes having a good level of RGPD compliance since they estimate to have reached a level of completeness higher than 70%.
48% of respondents perceive the RGPD as a cross-functional, permanent and virtuous process. Nevertheless, within companies, the RGPD can be seen in three ways, which were mentioned by at least one company out of five. The regulation can be perceived as a legal regulatory obligation, as a technical and/or legal constraint or as a duty of transparency and a mark of respect.
The health crisis linked to the COVID-19 pandemic has had a positive effect on companies. Twice as many structures have strengthened their security in 2020 compared to 2019. Actions related to the increase in cyber attacks, as Thales also states in its report on data and cyber threats. 64% of organizations have conducted a security audit of their website, and 35% of DPOs and lawyers have taken concrete actions with the implementation of security measures in accordance with Article 32 of the RGPD. This paragraph of the regulation refers to the security of data processing.
Banking and insurance, education, health: three sectors lagging behind
According to the study, between 2019 and 2021, the digitization of data governance increased by 120%. 31% of the DPOs and lawyers surveyed have digitised their records with completeness and permanence. Nevertheless, 62% of them still make their registers using Excel spreadsheet software.
For several months, the French National Commission for Information Technology and Civil Liberties (CNIL) has implemented a period of “tolerance” during which it has made educational efforts to raise awareness about data protection. In particular, it sanctioned Amazon for having placed advertising cookies without prior information and consent from users.
65% of DPOs think that the new directives on cookies make it easier to obtain consent from Internet users. As a result of these actions, 53% of companies have updated their legal disclosures, privacy policies and cookie management to bring their website into compliance. In 2019 and 2020, only 30% of organizations had a site that complied with CNIL expectations.
Finally, the survey conducted by Data Lega Drive looked at sectors where digitisation and data protection have not yet become commonplace. These include education, banking & insurance and the health sector, where around two out of three institutions stated that they had not set up a register of personal data processing, even though data protection in this area is of paramount importance.