A new survey conducted by Vanson Bourne asked IT leaders in the U.S., UK, Germany and France about their current data policies to see how well aligned they are with the EU General Data Protection Regulation (GDPR), which comes into force on May 25, 2018.
The survey of 500 IT decision makers did not name GDPR in its questions, but asked about areas of policy that would be impacted by the regulation. It found 54% could not say all personally identifiable information was protected through anonymization and encryption in all digital locations. This alone could mean companies do not meet the “appropriate level of security” requirement specified in Article 32 of the regulation.
In terms of protecting EU citizens from data breaches, the survey found companies do not currently have the processes or technology in place to adequately meet GDPR requirements around data breaches:
- Only 52% of all of the companies surveyed are completely confident that they can report data breaches within 72 hours of discovery to the authorities. Yet, only 55% are “completely confident” they have systems that could identify a breach from an external source, suggesting that a customer’s personal identifiable information could be traded unbeknown to the company or citizen, placing both at greater risk of fraud.
- Companies also admitted they cannot easily identify the data obtained in a breach. Less than half (46%) are completely confident that they could precisely identify the data that had been exposed in a breach.
Working with personal data
GDPR regulations also state that “appropriate technical and organizational measures” should be in place to safeguard personal data and minimize data collection, processing and storage. Asked about key areas of data processing, several weaknesses were identified that could leave companies at risk, if not addressed:
- Only 41% of companies could say that data is automatically geo-fenced “every time” on servers, so it cannot be moved outside of the legal jurisdiction in which it resides.
- Just 48% of all business partners’ storage locations’ security standards are audited by companies.
- 54% of companies check on every occasion whether a customer has given permission for records to move between data processors, such as suppliers and business partners, before moving data.
- Just over a third (37%) of companies claim to have processes that allow them to remove data without delay from live systems and backups. Articles 16 and 17 of the EU GDPR specify the companies must be able to respond to citizen demands for the rectification or erasure or data in one month. 15% are currently building the systems that will give them this functionality.
“The findings show that companies have some way to go over the next 12 months if they are to ensure compliance, and must focus on some security fundamentals such as implementing encryption and data lifecycle protection technology. Compliance is not just a matter of avoiding fines; consumers care deeply about the abuse and loss of their data. The reputational damage from non-compliance can far outweigh the €20 million or 4% of global revenue fine that a company could receive. There is still time to get the technology and processes and place, but complacency is not an option,” said Mark Hickman, COO at WinMagic.