54% of organizations have not advanced their GDPR compliance readiness
More than half of organizations have failed to begin any work on meeting minimum General Data Protection Regulation (GDPR) compliance, according to a study conducted by Vanson Bourne.
Intended to harmonize data security, retention and governance legislation across European Union (EU) member states, GDPR requires greater oversight of where and how sensitive data—including personal, credit card, banking and health information—is stored and transferred, and how access to it is policed and audited by organizations. GDPR will not only affect companies within the EU, but extend globally to the U.S. and other countries, impacting any company that conducts business in the region or with an EU organization.
The research findings from The Global Databerg Report—which surveyed more than 2,500 senior technology decision makers in 2016 across Europe, the Middle East, Africa, the U.S. and Asia Pacific—reveal 54 percent of organizations have not advanced their GDPR compliance readiness.
With a quarter of the EU’s grace period over before the legislation takes effect in May 2018, the responses bring into focus a number of operational, compliance and planning issues, in particular the ownership of GDPR processes and the ability to implement data cleansing policies and end of life requirements.
Unclear Executive Ownership of GDPR
Findings from the research revealed a lack of preparedness for GDPR and confusion over who is ultimately responsible for its adherence and compliance. Almost one third, or 32 percent, of survey respondents believe the Chief Information Officer is responsible for GDPR, compared to 21 percent for the Chief Information Security Officer, 14 percent for the Chief Executive Officer and 10 percent for the Chief Data Officer.
According to the survey, those individuals responsible for implementing a GDPR process also face a variety of risks if data is not handled properly. Just under one third, or 31 percent, of respondents were worried about reputational damage to their organizations from poor data policies, while almost 40 percent were fearful of a major compliance failing within their business.
Data Pressure Points
Fragmentation of data and loss of visibility are among the biggest data challenges organizations face, making it more difficult to comply with GDPR regulations. An estimated 35 percent of those surveyed flagged this issue as their biggest concern. In particular, the rise of unmanaged cloud-based file storage and consumer file-sharing services in the enterprise raised fears about future compliance issues.
A quarter of respondents admitted to using cloud-based services, such as Box, Google Drive, Dropbox, EMC Simplicity or Microsoft OneDrive, against their current company policies. Another 25 percent reported running unrecognized off-site file storage services, making it even harder for IT departments to manage their use with recognized tools.
In addition to the storage challenges, respondents pointed to perceived risk factors that any security and regulatory compliance must address. Over one half, or 52 percent, of respondents said they were concerned about the threat of data loss from the business, with 48 percent particularly concerned about data being lost in transit between sites and systems. Four in 10 respondents were also concerned about employees mishandling data and undermining compliance efforts in the process.
The right to be forgotten
With GDPR, businesses must analyze and act on legitimate requests from individuals to have their data purged by organizations if it is no longer relevant or necessary. However, the combination of data fragmentation and unstructured data hoarding within organizations makes it almost impossible for companies to comply with these requests.
The lack of visibility into dark data and information held outside of corporate IT systems complicates compliance and exposes organizations to substantial financial and legal risk. These and other GDPR compliance failures carry a harsh financial cost for businesses: a maximum fine of €20 million ($22.3 million) or up to four percent of worldwide revenue, whichever is higher.
“GDPR is the most significant change to data protection in a generation and an imminent global issue that will dominate data privacy, management and regulation discussions in 2017,” said Mike Palmer, Executive Vice President and Chief Product Officer, Veritas. “To avoid potential regulatory fines or worse, damage to their corporate brands and reputations, global enterprises must take action now to understand where their data resides and how to protect it.”