Low GDPR preparedness represents revenue threat

96 percent of companies still do not fully understand the European General Data Protection Regulation (GDPR), despite it coming into effect in May 2018.

Elements respondents believe to be part of the GDPR

GDPR preparedness

The results of Symantec’s State of European Data Privacy Survey, which was conducted through interviews with 900 business and IT decision makers across the UK, France and Germany, shows 91 percent of respondents have concerns about their ability to become compliant.

The study also revealed only 22 percent of businesses consider compliance a top priority in the next two years, despite only 26 percent of respondents believing their organisation is fully prepared for the GDPR.

“As UK businesses could face up to £122bn in GDPR penalties for data breaches, it is highly concerning that 96% still don’t fully understand the impending legislation. The regulation intends to help businesses be more proactive securing hosting and data storage strategies – an incentive that was actively sought after by the industry. According to Fujitsu research 80% of IT decision makers believe more stringent data protection laws are needed in this data-driven world while nearly two thirds (61%) welcome larger fines for data protection negligence and would like to see them introduced,” Andy Herrington, Head of Cyber Professional Services at Fujitsu, told Help Net Security.

Lack of regulatory awareness

Of those surveyed, nearly a quarter (23 percent) said their organisation will not be compliant at all, or will be only partly compliant, by 2018. Of this group, only a fifth (20 percent) believe it is even possible to become fully compliant with the GDPR, with nearly half (49 percent) believing that while some company departments will be able to comply, others will not. This stark lack of confidence in meeting the May 2018 deadline leaves businesses at risk of incurring significant fines.

A consumer disconnect

While businesses grapple to become compliant, they remain out of touch with consumer expectations when it comes to data privacy and security. Nearly three quarters (74 percent) of businesses do not think an organisation’s privacy track record is a top three consideration for customers when choosing who to do business with, despite customers asking about data security in more than a third (36 percent) of transactions.

Equally concerning is the finding that 35 percent of respondents do not believe their organisation takes an ethical approach to securing and protecting data.

These results show there is a significant disconnect with consumer priorities. Symantec’s State of Privacy Report, found 88 percent of European consumers see data security as the most important factor when choosing a company with which to do business. In fact, 86 percent consider it more important than product quality.

Perhaps unsurprisingly then, the State of European Data Privacy found 55 percent of businesses are not confident they completely meet customers’ data security expectations.

Cultural preparedness

Symantec’s study also found many businesses have not started working out the necessary organisational and cultural changes they need to make ahead of May 2018.

  • Almost one in 10 (9 percent) say all employees can access customers’ personal information.
  • Six percent say all staff can access customers’ payment details.
  • Only 14 percent believe everyone in the organisation has a responsibility to ensure data is protected.

With such wide-reaching access to people’s personal information, businesses are underestimating the challenges they will face in managing this in line with the GDPR.

  • Less than half of those surveyed (47 percent) said managing data ethically is a top priority for their organisation, and less than half again said they would be increasing security training.
  • Only 27 percent of businesses are planning to completely overhaul their approach to security in response to the GDPR.

Technical readiness and the Right to Be Forgotten

  • 91 percent of respondents have concerns about their organisations ability to comply with the GDPR, due to factors such as the complexity of processing data correctly, in time, and costs involved.
  • Only 28 percent of IT and business decision makers realise the right to be forgotten is part of GDPR.
  • 90 percent of businesses say customers requesting their data be deleted will be a challenge for their organisation.
  • Only nine percent of respondents have already received requests to be forgotten.
  • 81 percent of respondents believe their customers would exercise their right for data to be deleted.
  • However, 60 percent of businesses do not currently have a system in place that enables them to respond to these requests.

“Despite the results of June’s referendum, from May 2018, any organisation found to be in breach of the new EU GDPR will be subject to considerable fines that could damage the financial stability of the company and, coupled with the reputational fallout, could see the business facing bankruptcy. So the fact that 96% of organisations do not fully understand the EU GDPR is a huge cause for concern,” said Stephen Love, Security Practice Lead – EMEA at Insight UK.

“Planning ahead is the best course of action for any business. 2018 might seem a way off, but we are already nearing the end of 2016 and, before we know it, the new legislation will come into effect. Addressing the EU GDPR now will allow businesses to budget and prepare, taking manageable steps to ensure a compliant business environment that will help protect the company from the potential fallout of non-compliancy,” Love concluded.