Veritas study reveals over half of businesses are unprepared for GDPR

Compliance breaches will trigger unprecedented fines unless businesses address failings in the next 18 months.

  • 7 years ago Posted in
Newly released research from Veritas Technologies shows more than half of organisations have failed to begin any work on meeting minimum General Data Protection Regulation (GDPR) compliance.
 
Intended to harmonise data security, retention and governance legislation across European Union (EU) member states, GDPR requires greater oversight of where and how sensitive data—including personal, credit card, banking and health information—is stored and transferred, and how access to it is policed and audited by organisations. GDPR will not only affect companies within the EU, but extend globally to the U.S. and other countries, impacting any company that conducts business in the region or with an EU organisation.
 
The research findings from The Global Databerg Report—which surveyed more than 2,500 senior technology decision makers in 2016 across Europe, the Middle East, Africa, the U.S. and Asia Pacific—reveal 54 per cent of organisations have not advanced their GDPR compliance readiness. With a quarter of the EU’s grace period over before the legislation takes effect in May 2018, the responses bring into focus a number of operational, compliance and planning issues, in particular the ownership of GDPR processes and the ability to implement data cleansing policies and end of life requirements.
 
The study was conducted for Veritas by research firm Vanson Bourne to investigate how organisations store and manage their data, highlighting attitudes and behaviors that are fueling an unprecedented data explosion.
 
Unclear Executive Ownership of GDPR
Findings from the research revealed a lack of preparedness for GDPR and confusion over who is ultimately responsible for its adherence and compliance. Almost one third, or 32 per cent, of survey respondents believe the Chief Information Officer is responsible for GDPR, compared to 21 per cent for the Chief Information Security Officer, 14 per cent for the Chief Executive Officer and 10 per cent for the Chief Data Officer. According to the survey, those individuals responsible for implementing a GDPR process also face a variety of risks if data is not handled properly. Just under one third, or 31 per cent, of respondents were worried about reputational damage to their organisations from poor data policies, while almost 40 per cent were fearful of a major compliance failing within their business.
 
Data Pressure Points
Fragmentation of data and loss of visibility are among the biggest data challenges organisations face, making it more difficult to comply with GDPR regulations. An estimated 35 per cent of those surveyed flagged this issue as their biggest concern. In particular, the rise of unmanaged cloud-based file storage and consumer file-sharing services in the enterprise raised fears about future compliance issues. A quarter of respondents admitted to using cloud-based services, such as Box, Google Drive, Dropbox, EMC Simplicity or Microsoft OneDrive, against their current company policies. Another 25 per cent reported running unrecognised off-site file storage services, making it even harder for IT departments to manage their use with recognised tools.
 
In addition to the storage challenges, respondents pointed to perceived risk factors that any security and regulatory compliance must address. Over one half, or 52 per cent, of respondents said they were concerned about the threat of data loss from the business, with 48 per cent particularly concerned about data being lost in transit between sites and systems. Four in 10 respondents were also concerned about employees mishandling data and undermining compliance efforts in the process.
 
The Right to be Forgotten
With GDPR, businesses must analyse and act on legitimate requests from individuals to have their data purged by organisations if it is no longer relevant or necessary. However, the combination of data fragmentation and unstructured data hoarding within organisations makes it almost impossible for companies to comply with these requests. The lack of visibility into dark data and information held outside of corporate IT systems complicates compliance and exposes organisations to substantial financial and legal risk. These and other GDPR compliance failures carry a harsh financial cost for businesses: a maximum fine of ˆ20 million ($22.3 million) or up to four per cent of worldwide revenue, whichever is higher.
 
“GDPR is the most significant change to data protection in a generation and an imminent global issue that will dominate data privacy, management and regulation discussions in 2017,” said Mike Palmer, Executive Vice President and Chief Product Officer, Veritas. “To avoid potential regulatory fines or worse, damage to their corporate brands and reputations, global enterprises must take action now to understand where their data resides and how to protect it.”
Research shows ‘game needs to be changed,’ with security innovation years behind that of the...
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that...
Atos has launched Atos OneCloud Sovereign Shield, a set of solutions, methodologies, and...
New distribution agreement set to bolster Westcon-Comstor’s Zero Trust offering in more markets...
Research from Avast has found that employees in almost a third (31%) of Small and Medium...
This year, over half of MSPs or their end customers have been attacked by ransomware but only 53%...
Trend Micro has published new research revealing that 90% of IT decision makers claim their...
Cyber consultants call on businesses to act now, or risk budgets shrinking further in ‘real...