Organizations across the globe mistakenly believe they are in compliance with the upcoming General Data Protection Regulation (GDPR), according to a study by Veritas.
The 2017 GDPR Report revealed that almost one-third (31%) of respondents said that their enterprise already conforms to the legislation’s key requirements. However, when those same respondents were asked about specific GDPR provisions, most provided answers that show they are unlikely to be in compliance. In fact, upon closer inspection, only 2% actually appear to be in compliance, revealing a distinct misunderstanding over regulation readiness.
The findings of the report show that almost half (48%) of organizations who stated they are compliant do not have full visibility over personal data loss incidents. Moreover, 61% of the same group admitted that it is difficult for their organization to identify and report a personal data breach within 72 hours of awareness – a mandatory GDPR requirement where there is a risk to data subjects. Any organization that is unable to report the loss or theft of personal data – such as medical records, email addresses and passwords – to the supervisory body within this timeframe is breaking with this key requirement.
Restricting former employee access to corporate data and deleting their systems credentials helps to stem malicious activity and ensure that financial loss and reputational damage are avoided. Yet, a staggering 50% of so-called compliant organizations said that former employees are still able to access internal data. These findings highlight that even the most confident organizations struggle to control former employee access and are potentially susceptible to attacks.
Under the GDPR, EU residents will have the right to request the removal of their personal data from an organization’s databases. However, Veritas’ research shows many organizations that stated they already are in compliance will not be able to search, find and erase personal data if the 'right to be forgotten' principle is exercised.
Data breaches are already the second greatest cause of concern for business continuity professionals, according to the Business Continuity Institute's latest Horizon Scan Report, and once this legislation comes into force, bringing with it higher penalties than already exist, this level of concern is only likely to increase. Organizations need to make sure they are aware of the requirements of the GDPR, and ensure that their data protection processes are robust enough to meet these requirements.
Of the organizations that believe they are GDPR-ready, one-fifth (18%) admitted that personal data cannot be purged or modified. A further 13% conceded that they do not have the capability to search and analyze personal data to uncover explicit and implicit references to an individual. They are also unable to accurately visualize where their data is stored, because their data sources and repositories are not clearly defined.
These shortcomings would render a company non-compliant under the GDPR. Organizations must ensure that personal data is only used for the reasons it was collected and is deleted when it’s no longer needed.
Veritas’ research also found that there is a common misunderstanding among organizations regarding the responsibility of data held in cloud environments. Almost half (49%) of the companies that believe they comply with the GDPR consider it the sole responsibility of the cloud service provider (CSP) to ensure data compliance in the cloud. In fact, the responsibility still lies with the organization, as the data controller, to ensure that the data processor (the CSP) provides sufficient GDPR guarantees. This perceived false sense of protection could lead to serious repercussions once the GDPR is enacted.
“The GDPR dictates that multi-national corporations take data management seriously. However, the latest findings show confusion over what’s needed to comply with the regulation’s mandatory provisions. With the implementation date looming ever closer, these misconceptions need to be eradicated fast,” said Mike Palmer, executive vice president and chief product officer, Veritas.
“With regulations like the GDPR you have to understand what data you have in your organization. But you must also know how to take action on it and how to classify it so that policy can be applied accordingly. These are the fundamentals of compliance and the findings today should be used to educate businesses about the mistaken beliefs that could put an organization out of business.”