The deadline for one of the most highly publicized and impactful data privacy regulations in the world is approaching, and many companies are still not prepared.
The General Data Protection Regulation (GDPR), a set of rules developed by the European Parliament, European Council, and European Commission, is designed to boost data protection for individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
GDPR, which replaces a data protection directive that dates back to 1995, officially takes effect on May 25, 2018, following a two-year transition period. Any organization that handles data for individuals within the area of coverage is affected by the regulation, and the stakes for non compliance are high. The regulation states that penalties for non-compliance can be as much as 4% of the violating company’s global annual revenue, depending on the nature of the offence.
Unfortunately, many organizations aren’t ready to comply, according to a new report from security content site Crowd Research Partners. The 2018 GDPR Compliance Report is based on the results of a comprehensive online survey of more than 531 IT, cyber security, and compliance professionals, and it shows that 60% of surveyed organizations are likely to miss the compliance deadline.
Only 40% of organizations in the survey confirmed they are either GDPR-compliant or well on their way to compliance by the deadline. A mere 7% of the organizations said they are in full compliance with GDPR requirements today. This is a slight improvement compared with the results from a similar survey conducted last year, when only 5% indicated they were fully compliant. But it’s still an alarmingly low number, the report said. One third of the organizations said they are well on their way to compliance deadline.
While 80% of the respondents said GDPR is a top priority for their organization, only half said they are knowledgeable about the data privacy legislation or have deep expertise. Even more alarming and surprising, given the amount of publicity GDPR is receiving, one quarter of the organizations said they have no or only limited knowledge of the law.
“What is striking in this study is the lack of staff with GDPR expertise and an overall underestimation of the effort required to meet GDPR, which represents the most sweeping change in data privacy regulation in decades,” said Holger Schulze, CEO of Cybersecurity Insiders and founder of the 400,000-member Information Security Community on social media site LinkedIn, which commissioned the study.
The primary compliance challenge facing companies is a lack of expert staff (cited by 43%). This was followed by a lack of budget (40%), and a limited understanding of GDPR regulations (31%). A majority of the organizations (56%) expect their data governance budget to increase so that they can deal with GDPR challenges.
About one third of the surveyed organizations reported that they will need to make substantial changes to their data security practices and systems in order to be in compliance with GDPR, but more than half of the organizations expect to make only minor changes.
The highest ranked initiative for meeting compliance is to make an inventory of user data and map it to protected GDPR categories (cited by 71% of the respondents); followed by evaluating, developing, and integrating products that enable GDPR compliance.
In a majority of organizations, IT and information security teams have primary ownership for meeting GDPR compliance (52%). Most of the respondents (71%) indicate that making an inventory of user data, and mapping the data to protected GDPR categories, is a priority in their GDPR compliance programs. This is followed by evaluating, developing, and integrating solutions that enable GDPR compliance.
Among the eleven chapters that make up the GDPR regulation, survey participants are most concerned about implementing chapter 3, which is focused on the rights of the data subject. This is at the core of GDPR regulations to protect data privacy for EU citizens.
Among the articles that make up the GDPR legislation, the right to be forgotten and erasure (article 17) and secure processing of personal data (article 30 and article 5) are the biggest concerns for organizations. This is likely because these requirements imply significant system redesign and investment in data protection controls, and impact on business processes, according to the report.
Most organizations’ insider threat programs are currently not meeting GDPR reporting guidelines, the study notes. The law’s “Right to Explanation” gives citizens the right not to be subject to a decision based solely on automated processing. About one third of organizations (32%) confirm that their current automated assessment techniques are “black boxed,” meaning they are not able to explain how the algorithms made a decision.
While most GDPR-relevant data is stored on premises, about one third of organizations (36%) store data in cloud or hybrid environments. That makes control over data potentially more challenging, the report said.