The first anniversary of GDPR going into effect is on the horizon, but one study has found that companies are rarely able to meet the reporting demands set by the legislation.
A report by the cybersecurity firm Redscan, based on data received through a Freedom of Information request in the UK, found neither breach detection nor reporting being conducted within GDPR standards.
GDPR requires detected breaches to be reported to the Information Commissioners Office within 72 hours. But the average reporting time for a data breach, Redscan found, was 21 days. (It took an average of 60 days to detect the incident in the first place, the study notes.)
In addition, the study determined that 21 percent of the breached companies did not report the incident at all. The fact that companies cannot meet the legal requirement is not surprising to executives at Redscan, whose study looked at a time period encompassing both the pre- and post-GDPR era.
“It’s incredibly optimistic to think that businesses are better at preventing and detecting data breaches since the introduction of the GDPR,” said Mark Nicholls, Redscan director of cybersecurity. “Despite the prospect of a larger penalty, many are still struggling to understand and implement the solutions they need to achieve compliance.”
Companies are also struggling to specify the impact of breaches after they happen, with 90 percent failing to do so when reporting, the study shows.
“This is another worrying statistic and again suggests that organizations lacked the appropriate expertise and resources to understand the full scope of attacks, such as the type of data and assets compromised. Without this knowledge it is almost impossible to put together an effective incident response plan,” the report states.
Another interesting trend turned up by this research is that most data breaches happen on a Saturday, while most companies report the breach on a Thursday or Friday. To Redscan, this indicated most firms are not able to monitor their systems 24/7.
The industry whose companies have been reported breaching the quickest is the financial sector, averaging 16 days. Next best were legal firms, which reported incidents after an average of 20 days. and general businesses, which needed an average of 27 days.
“In general, firms operating across the financial and legal sectors are among those better prepared to manage data breaches. The fact that even businesses in these high-value sectors were taking two to three weeks to divulge incidents is a key reason why the reporting rules have since been tightened,” Nicholls said.