There has been no lack of vendors, consultants and industry commentators warning companies about the pending GDPR (General Data Protection Regulation) that becomes a reality on 25 May next year. But it appears that many companies still have their heads in the sand and are still in denial. And it’s not just in the UK or mainland Europe where companies are ill prepared.
According to the GDPR criteria, any company – anywhere in the world - that stores or processes personal information about EU citizens must demonstrate compliance. But a global survey commissioned by WatchGuard Technologies shows this message is not getting through, with widespread confusion about GDPR compliance criteria and an overall lack of preparation. The survey, which examines the views of more than 1,600 organisations and was conducted by independent market research firm, Vanson Bourne, showed that a staggering 37 per cent of respondents simply didn’t know whether their organisation needs to comply with GDPR, while 28 per cent believe they don't need to comply at all.
Of the respondents who don’t believe the law applies to their organisation, one in seven collect personal data from EU citizens, while 28 per cent of respondents unsure about compliance also said that they collect this type of information. The results show that the GDPR message is still not reaching everyone and that many companies are misinterpreting which types of data constitute a mandate for compliance.
GDPR broadly defines personal data as any information that can be directly or indirectly attributed to an individual, including such seemingly benign data as an IP address, and then mandates compliance from any organisation that collects it from an EU citizen. That’s nearly every company that transacts business within the EU. Once enforcement for this new legislation begins, companies all over the world will feel its impact. With sensitive customer data and non-compliance fines at stake, every company with access to data from European citizens needs to ensure they truly understand GDPR and its ramifications.
Lack of preparation
What about those companies that have been working to GDPR compliance? The survey suggests that while many organisations have been aware of GDPR and putting plans in place for some time, just 10 per cent of respondents – including those in the UK – believe their company is currently 100 per cent ready.
In another illustration of the lack of clarity and communication around GDPR, 44 per cent of the WatchGuard survey respondents stated that they don’t know how close their organisation is to compliance. Even companies that believe they already have a solid compliance strategy in place, still believe that their organisation will need to make significant changes to their IT infrastructure in order to fully comply.
The Regulation directs companies to add new consent procedures, notification processes, reporting and communication mechanisms, as well as upgrading network security to the latest technology that provides ‘situational awareness of risks’ and ‘enables preventative, corrective and mitigating action’ in near real time.
Although companies are embracing firewalls, VPNs and encryption as security measures in their compliance strategies, the vast majority are ignoring the role of important, but lesser known tools such as sandboxes.
Implementing a winning strategy
Becoming compliant with the GDPR requires a significant effort for nearly all businesses, and will most certainly include adding:
· Data protection measures using the latest, most effective network security technology that:
- protect data during storage and transmission
- ensure situational awareness of risks
- enable preventative, corrective and mitigating action in near real time against vulnerabilities or incidents detected that could pose a risk to data
- provide tools for assessing the effectiveness of security policies
· Data recovery mechanisms that restore access to data when an incident disrupts availability
· New or improved processes and reporting structures for tracking consent, notification of breaches and compliance
A winning strategy should also consider where there is the opportunity to reduce the scope/risk of GDPR impact, so that the burden associated with monitoring, record-keeping and compliance activities associated with the GDPR are reduced. For example:
· Reducing the number of personal data fields collected/processed
· Reducing the amount of time that personal data is held/processed
· Encrypting data in storage and during transmission
· Masking IP addresses and anonymise other types of user information
· Reducing the number of authorised staff who can access personal data
· Increasing your ability to prevent and remediate threats to personal data
It is important to go through an evaluation of current policies and security practices so that you can see alignment and gaps with the Regulation.
The deadline is looming
Time is running out and companies are feeling the pressure. For organisations that are not yet GDPR compliant, survey respondents estimate it will take an average of seven months to complete the requirements. For larger companies, this will be considerably more. Even for companies that feel they have time to spare, the impetuous should be on becoming compliant as soon as possible. By publicly showing customers that your organisation prioritises data security and has become compliant prior to any legal deadline, your reputation will receive a boost. This can prove invaluable in a world that is pushing cyber security to the foreground.
Potential penalties for non-compliance are steep and no one wants to be the test case that will set the precedent. Any person who has suffered damage as a result of an unlawful processing operation or of an action incompatible with the Regulation shall have the right to receive compensation from the controller or the processor for the damage suffered. Companies stand to lose four per cent of their worldwide revenue after a breach if they haven’t met all the requirements by next May. The only way to prevent unnecessary fines and frustration is to take a good hard look at the criteria, assemble a GDPR plan of action and begin implementing it immediately.
Corey Nachreiner, Chief Technology Officer, WatchGuard
Image source: Shutterstock/Wright Studio