The sheer scale of companies' lack of comprehension of the European General Data Protection Regulation (GDPR) is revealed in a new survey from Symantec which finds that 96 percent of companies do not fully understand it, despite it coming into effect in 19 months' time.
In an email to SCMagazineUK.com Ilias Chantzos, senior director government affairs EMEA at Symantec commented, “The most surprising finding of the research is that nine out of 10 organisations have concerns about their ability to become compliant with the GDPR but only 22 percent consider compliance with it a top priority for the next two years.”
Chantzos added: “Interestingly, 74 percent of the respondents do not think that an organisation's privacy track record is a top three consideration for their customers despite our State of Privacy Report 2015 showing that it is.”
Symantec's State of European Data Privacy Survey of 900 business and IT decision makers across the UK, France and Germany found that just 26 percent of respondents believe their organisation is fully prepared for the GDPR.
Other key findings were:
- Nine in ten businesses say customers requesting their data be deleted will be a challenge
- 35 percent of respondents do not believe their organisation takes an ethical approach to securing and protecting data
- 55 percent are not confident they completely meet customers' data security expectations
Chantzos added, “Privacy is now gaining the attention of management because of the increasing number of high profile data breaches. They are aware of the 72 hour breach notices and huge fines in the regulation, but may still lack understanding of the extent of the need to protect privacy. The GDPR forces a company-wide strategy on managing the information lifecycle as opposed to tick box compliance. The research data shows that while organisations have pockets of excellence with experts around privacy, they don't have an overarching vision on both privacy and security. This is important to successfully manage privacy and prepare for the GDPR.”
Nearly a quarter of respondents said their organisation will not be compliant at all, or will be only partly compliant, by 2018. Of this group, 20 percent believe it is even possible to become fully compliant with GDPR, with 49 percent believing that while some company departments will be able to comply, others will not. The risk of incurring significant fines is thus high.
Nearly three quarters (74 percent) of businesses do not think an organisation's privacy track record is a top three consideration for customers when choosing who to do business with, whereas Symantec's State of Privacy Report, found 88 percent of European consumers see data security as the most important factor when choosing a company with which to do business.
This disconnect with customer expectations is compounded by the fact that many businesses have not started working out the necessary organisational and cultural changes they need to make ahead of May 2018. Currently, it was found that:
- Almost one in 10 (9 percent) say all employees can access customers' personal information.
- Six percent say all staff can access customers' payment details.
- Only 14 percent believe everyone in the organisation has a responsibility to ensure data is protected.
Only 47 percent said managing data ethically is a top priority for their organisation, and less than 25 percent said they would be increasing security training. Only 27 percent of businesses are planning to completely overhaul their approach to security in response to the GDPR. So, combined with the 26 percent who believe they are fully prepared, that leaves 47 percent who are not prepared and don't have plans in place to be prepared.
In total 91 percent of respondents have concerns about their organisation's ability to comply with GDPR, due to factors such as the complexity of processing data correctly, in time, and costs involved. Only 28 percent of IT and business decision makers realise the right to be forgotten is part of GDPR yet 81 percent of respondents believe their customers would exercise their right for data to be deleted. So it's no surprise that 60 percent of businesses do not currently have a system in place that enables them to respond to these requests.
Despite the worrying findings, Chantzos remains upbeat, concluding, “The good news is that there are a lot of best practices and information security risk management programmes out there that organisations can follow. However, while 2018 seems far away, there isn't much time to get ready so organisations should define the necessary strategic approach and implement it to be achieve compliance.”
In a press statement Peter Gooch, cyber risk partner, Deloitte, adds: “Whether companies will successfully navigate the GDPR regulation hinges on their willingness to embrace privacy by design. They must also understand that good security and privacy processes can provide a substantial competitive advantage and be a driver in gaining consumer trust, in addition to being driven by regulatory requirements.”
Commenting on Symantec's findings, Andy Herrington, head of cyber-professional services at Fujitsu, said: “As UK businesses could face up to £122 billionn in EU General Data Protection Regulation penalties for data breaches, it is highly concerning that 96 percent still don't fully understand the impending legislation. The regulation intends to help businesses be more proactive securing hosting and data storage strategies – an incentive that was actively sought after by the industry. According to Fujitsu research 80 percent of IT decision makers believe more stringent data protection laws are needed in this data-driven world while nearly two thirds (61 percent) welcome larger fines for data protection negligence and would like to see them introduced.”
“Yet the lack of understanding about the EU GDPR pose significant consequences for both IT and business decision makers. If organisations don't understand how to ensure their compliance, they face massive reputational fallout and potential bankruptcy. And with its implementation only two years away, something needs to change.”
“Businesses should start by seeking expert advice and guidance relating to two aspects, firstly, the interpretation and deployment of appropriate protection to avoid data breaches in the first place. Secondly, they should seek to ensure that if protection fails they can identify and triage breaches quickly and accurately, managing the breach through a business aligned incident management process which ensures compliance and limits exposure.”
“The tougher fines and raised awareness should create a much better understanding in the C-suite of what data they hold, its value to the business and the controls required to protect these valuable assets. This should not simply be seen as an additional cost but turned around into a positive aspect as business can demonstrate responsible curation of their customers' data.”