Only 2% of “GDPR-ready” organizations are actually compliant

Only nine percent of UK organizations that believe they are prepared for the General Data Protection Regulation (GDPR) actually are, new research from Veritas has found.

In fact, organizations across the globe mistakenly believe they are in compliance with the upcoming GDPR, the company claims, after polling over 900 business decision makers from the US, the UK, France, Germany, Australia, Singapore, Japan and the Republic of Korea.

GDPR readiness

The GDPR is intended to harmonize data privacy and protection mandates across European Union (EU) member states. It requires organizations to implement the appropriate protection measures and processes to effectively govern personal data. The GDPR will take effect on May 25, 2018 and will apply to any organization – inside or outside the EU – that offers goods or services to EU residents, or monitors their behaviour.

Failure to meet GDPR requirements could attract a fine of up to four percent of global annual turnover or €20 million, whichever is greater.

False GDPR readiness beliefs

According to the survey findings, 31 percent of respondents said that their enterprise already conforms to the legislation’s key requirements. However, when those same respondents were asked about specific GDPR provisions, most provided answers that show they are unlikely to be in compliance.

In fact, upon closer inspection, only two percent of all the polled organizations actually appear to be in compliance, revealing a distinct misunderstanding over regulation readiness.

48 percent of organizations who stated they are compliant do not have full visibility over personal data loss incidents. Moreover, 61 percent of the same group admitted that it is difficult for their organization to identify and report a personal data breach within 72 hours of awareness – a mandatory GDPR requirement where there is a risk to data subjects. Any organization that is unable to report the loss or theft of personal data – such as medical records, email addresses and passwords – to the supervisory body within this timeframe is breaking with this key requirement.

The former employee threat

Restricting former employee access to corporate data and deleting their systems credentials helps to stem malicious activity and ensure that financial loss and reputational damage are avoided. Yet, a staggering 50 percent of so-called compliant organizations said that former employees are still able to access internal data.

Challenges exercising “the right to be forgotten”

Under the GDPR, EU residents will have the right to request the removal of their personal data from an organization’s databases. However, Veritas’ research shows many organizations that stated they already are in compliance will not be able to search, find and erase personal data if the “right to be forgotten” principle is exercised.

Of the organizations that believe they are GDPR-ready, 18 percent) admitted that personal data cannot be purged or modified. A further 13 percent conceded that they do not have the capability to search and analyse personal data to uncover explicit and implicit references to an individual. They are also unable to accurately visualise where their data is stored, because their data sources and repositories are not clearly defined.

These shortcomings would render a company non-compliant under the GDPR. Organizations must ensure that personal data is only used for the reasons it was collected and is deleted when it’s no longer needed.

Demystifying GDPR responsibility

Veritas’ research also found that there is a common misunderstanding among organizations regarding the responsibility of data held in cloud environments.

49 percent of the companies that believe they comply with the GDPR consider it the sole responsibility of the cloud service provider (CSP) to ensure data compliance in the cloud. In fact, the responsibility lies with the data controller (the organization) to ensure that the data processor (the CSP) provides sufficient GDPR guarantees.

“Organizations who actively focus on development of a culture of data confidence will have a clear business advantage. Customer and supplier confidence in the use of data is critical to improved customer engagement, greater personalisation and ultimately service quality. This allows organizations to turn GDPR from being a regulatory challenge to being a business differentiator,” commented Jason Tooley, Vice-President, Northern Europe, Veritas.

“The complexity created through the management of data across multiple cloud and on-premise environments is accentuating the challenge and will inhibit an organization’s ability to remain compliant in the face of the GDPR articles. For every organization that’s currently struggling to make sense of the GDPR’s provisions, it should immediately seek an advisory service to audit its levels of preparedness and create a smooth and accelerated path towards total compliance.”