Many European and US businesses aren't prepared for the introduction of the new EU General Data Protection Regulation (GDPR) and are at risk of falling foul of its rules, according to a new report released today.
In a study of 400 CIOs at large companies across Europe and the US, Compuware Corporation found that 68 per cent of businesses don’t yet have a comprehensive plan in place for how they will respond to GDPR and just over half (52 per cent) could efficiently comply with the “Right to be Forgotten” mandate.
63 per cent of respondents admitted that data complexity is one of the biggest hurdles to achieving compliance, whilst a further 53 per cent saying that another major hurdle will be securing and handling customers’ consent for their data to be used.
For the Right to be Forgotten specifically, the research suggests that businesses are struggling to keep track of their data, with 68 per cent of respondents saying that the complexity of modern IT services means they can’t always know where customer data is. Just 51 per cent of CIOs said they could locate all of an individual’s personal data quickly, although nearly a third (30 per cent) couldn't guarantee that they would be able to do so.
Dr Elizabeth Maxwell, PC.dp and Technical Director for EMEA at Compuware said: “To comply with the GDPR, businesses need to keep stricter control of where customer data resides. If they don’t have a firm handle on where every copy of customer data resides across all their systems, businesses could lose countless man-hours conducting manual searches for the data of those exercising their ‘Right to be Forgotten.’ Even then, they may not identify every copy, leaving them at risk of non-compliance.”
Businesses were also revealed to be pushing the boundaries of consent when it comes to testing. 86 per cent of respondents said they use live customer data to test apps during software development, but just one in five ask for customer consent to do this. 43 per cent of those that test apps with live data could not guarantee that data is depersonalised before it is used, this putting customer privacy at risk.
“Using customer data to test applications is fairly standard practice, but there’s no need or excuse for not depersonalising it first,” continued Dr Elizabeth Maxwell. “Companies that fail to mask data before using it to test applications could soon find themselves slapped with an eye-watering fine from EU regulators.
"As well as being better for protecting customer privacy, anonymising test data eliminates the need to obtain customers’ explicit consent for it to be used in this way."
Image Credit: Yuri Samoilov / Flickr