Eight months to go until the EU’s General Data Protection Regulation takes effect and only 26 percent of government organizations are aware of the impact of GDPR, the lowest of any sector, according to SAS. Privately held companies aren’t much better off.
Data obtained by the analytics giant indicates that global organizations are entering murky waters as they move into 2018 lacking a structured plan for compliance, while not being fully aware of the consequences of noncompliance with the EU’s General Data Protection Regulation.
Amid mounting cybercrime concerns globally, the European Union has decided to revise its existing data protection laws, which is how the GDPR came to exist. The new law demands that any organization handling “personally identifiable information” of EU citizens comply with new and improved data protection norms by May of next year.
Demonstrating accountability in all processing activities and appointing a Data Protection Officer are just a couple of the GDPR’s requirements for compliance. Organizations affected will further need to prepare for customers exercising their rights, such as “the right to be forgotten” (citizens can have their personal data deleted from any records, upon request), the right to receive a data portability notice, and more.
Non-compliance will see small firms cough up to 2% or €10 million of their annual revenue (whichever is highest), while large companies will face up to 4% or €20 million in penalties (again, whichever is highest).
Eight months to go
SAS conducted its global GDPR survey in the spring, yet the results reflect the current situation as described by multiple other studies – many companies are finding themselves noncompliant less than a year before GDPR kicks in. Worse still, many organizations fail to recognize the impact of non-compliance on their business.
SAS queried 340 business executives from multiple industries and geographies. Based on the results of the survey, the firm this week reported a number of highlights, including the biggest challenges that organizations face in GDPR compliance, but also some opportunities to improve their data governance and customer satisfaction. Its findings were:
- Most respondents feel that GDPR will have a large impact on their organization
- 42 percent indicate their organizations are not fully aware of this impact
- 45 percent have a structured compliance process in place; of those, 66 percent believe this process will lead to successful compliance
- More than a few respondents admit that they do not know how to determine if they are GDPR compliant
- 54 percent of large organizations (5,000+ employees) are fully aware of the impact of non-compliance, compared to just 37 percent of small organizations.
- Only 24 percent of organizations are trying to achieve compliance through external consulting, and those with a structured process in place use external consulting more often (34 percent).
- Just 26 percent of government organizations are aware of the impact of GDPR, arguably the lowest of any sector.
As for opportunities, companies identified the following potential benefits out of GDPR:
- 71 percent believe their data governance will improve as a result
- 37 percent think their general IT capabilities will improve as they seek to comply with GDPR
- 30 percent agree that complying with the GDPR will improve their image
- 29 percent think customer satisfaction will be higher
- 29 percent say their organizations' external value propositions will improve
- Several companies believe customers will have a lot to gain in terms of security and privacy from the compliance efforts
Different studies, same results
In a May 2017 survey, Gartner found that organizations were unprepared for the 2018 European data protection regulation, concluding that more than 50 percent of companies targeted by GDPR will not be in full compliance come May 2018.
A Bitdefender survey published three weeks ago shows no difference in September. According to the results, the GDPR still raises serious compliance concerns for global companies, and especially for the United Kingdom.
76 percent of UK IT decision makers admitted to using endpoint security solutions to protect both physical and virtual environments. Only 20 percent reported implementing dedicated security tools for each environment.
To its credit, the UK has at least drafted a Data Protection Bill of its own. The bill is aimed at putting the sovereign country’s legislation in line with the EU’s GDPR following Brexit.
“The risk of being GDPR non-compliant means not only negative publicity and damage to the companies’ reputation as it has been until now, but also penalties that can total up to 4% of a company’s global annual revenue,” said Bogdan Botezatu, Senior eThreat Analyst, Bitdefender. “With 2017 having already set new records in terms of magnitude of cyberattacks, boards should be aware that it’s only a matter of time until their organization will be breached since most still lack efficient security shields.”