As GDPR deadline looms, time for compliance is running out
GDPR is a game-changing piece of data protection legislation that goes into effect on May 25, 2018.
While the legislation includes various components related to how organizations collect, store, manage and protect customer data, the ‘right to be forgotten’ gives individuals the right to have personal data erased. If most organizations cannot locate where their customer data is stored, it will be difficult to fulfill ‘right to be forgotten’ requests, according to Blancco Technology Group.
Most organizations struggle with identifying and locating where all customer data is stored. 15 percent of German organizations admitted they don’t know where all customer data is stored, both on-premise and offsite.
The United States (13 percent) and United Kingdom (12 percent) are the two countries with the second and third highest percentages of respondents who don’t know where all of their customer data is stored. For French organizations, however, the problem is somewhat worse with 20 percent saying their confidence level in their ability to find all customer data is low – ranging from extremely unconfident to slightly unconfident.
“If an organization cannot find their customers’ data, how will they be capable of erasing the data and complying with the GDPR’s requirement? Once they do finally locate their customers’ data, the next step is erasing the data permanently so that it can never be recovered. But as our study reveals, it’s quite common for organizations to use insecure and unreliable data removal methods, such as basic deletion and free data wiping software, which further undermines their security and compliance to GDPR,” said Richard Stiennon, Chief Strategy Officer, Blancco Technology Group.
French, Spanish and German companies will beef up spending on EU GDPR-readiness technologies and processes. 85 percent of Spanish companies will spend up to $3.99 million, while 77 percent of French companies and 73 percent of German companies will spend the same amount. However, fewer American companies (65 percent) will spend this same amount.
72-hour breach notification, records maintenance of data processing activities and ‘right to be forgotten’ top the list of EU GDPR priorities. Meeting the 72-hour data breach notification rule (25 percent) and maintaining written records of data processing activities (25 percent) both ranked as the top priorities for American organizations. British organizations are most concerned with maintaining written records of data processing activities (22 percent). Conversely, 22 percent of Spanish organizations will prioritize the appointment of a Data Protection Officer.
Insufficient budgets, improper handling/storage of IT equipment and lack of data removal software are the biggest roadblocks to the ‘right to be forgotten.’ 12 percent of the American respondents cited insufficient budget as their biggest challenge, while it’s also a challenge for French companies (17 percent), British companies (16 percent) and German companies (15 percent). Plus, improper handling/storage of IT equipment ranks as a major challenge for Spanish companies (28 percent), American companies (21 percent) and British companies (17 percent).
Insecure and unreliable data removal methods undermine security and compliance. Basic deletion is used by IT professionals in France (34 percent), US (28 percent), Spain (26 percent), UK (24 percent) and Germany (23 percent) to remove data. Meanwhile, free data wiping solutions (without proof) are used by organizations in Spain (35 percent), UK (33 percent), US (25 percent), Germany (27 percent), US (25 percent) and France (21 percent).
Data Protection Officers are uncommon and costly additions. 59 percent of American companies and 53 percent of British companies are most likely to assign the responsibilities of a DPO to an existing role. In Germany, however, companies would be somewhat inclined to hire a new, dedicated role (40 percent). Meanwhile, 16 percent of French companies would outsource the role to a consultant.
Change begins with a data protection gap analysis. 41 percent of American organizations are currently undergoing a gap analysis and 43 percent of British organizations plan to start in the second half of 2017. In addition, 50 percent of Spanish organizations will do so in the second half of this year. But 14 percent of the French respondents and 14 percent of the German respondents will wait until 2018.
Stiennon concluded, “The first priority for all companies should be to gain a complete picture of all data that is collected, stored or processed that contains EU citizen and resident information. After that, companies must ensure that adequate means of protecting that data have been implemented, such as access being restricted to authorized personnel, proper authentication being used and proper procedures for backing up and archiving data and data sanitization policies being implemented to remove data when it is no longer needed or requested by customers. In addition, any third parties that have access to the data must be evaluated to ensure they too have adequate controls in place.”