Most Companies Not Ready for EU GDPR Legislation on 25th May – Survey

A fifth of companies lack continuous encryption for personally identifiable information, and only half have the systems required to meet Articles 16 and 17 of the GDPR legislation reports WinMagic survey

EU GDPR

Just before the controversial implementation of EU General Data Protection Regulation Legislation (GDPR), the latest survey has revealed concerns that companies are not ready when it takes effect on May 25th, 2018.

The data security company, WinMagic surveyed 482 IT Decision Makers in March 2018 from the UK, Germany, India and the US by Viga finding that 87% of companies believe that EU GDPR can change the way they currently operate the business.

In Indian Geo, the Astounding Revelations Made Were:

  • 21% of companies in South India do not use automatic geo-fencing to prevent moving of data outside of the legal jurisdiction it resides
  • 73% of companies in Central India and 74% in East India do not check whether customers have given permission for their records to move from the companies’ servers to partners’ servers
  • 24% of companies in South India using cloud-based services for data know the physical storage location belonging to some services only
  • 88% of Indian companies ensure that all personal identification information is anonymized and encrypted across on-premise services and devices
  • 63% of companies based in North-East India do not have complete confidence in the precisely identifying information that has been exposed during a data breach (internal or external)
  • 39% of companies in West India are still cautious about their EU GDPR preparedness and 30% are stressed, while 40% in North-East are feeling nervous about

Across all Geos:

  • 62% of IT Decision Makers (ITDMs) surveyed describe themselves as ‘confident’ in the build-up, with 1 in 5 (18%) saying they are nervous.
  • Only half (51%) of companies say they have all the systems in place that will allow them to remove EU Citizen data from servers upon the request, including back-ups, in accordance with Articles 16 & 17 of GDPR.
  • Worryingly, a fifth (21%) do not yet have any systems in place.

In many cases, companies lack the systems and processes to ensure compliance with the new legislation which affects all companies holding and processing EU citizen data. Non-compliance can lead to fines of €20 million or 4% of turnover, but this is far outweighed by the reputational damage that can occur from a data breach where non-compliance has heightened the risks for citizens.

Whilst 73% believe GDPR will change the way their business will operate to meet compliance, there are a number of key areas where they will fail to meet the requirements of the legislation:

Data Management Delays

  • A quarter (25%) admitted that systems were only part implemented, and would not allow the automated removal of citizen data from back-ups
  • Just 48% of data is geo-fenced so that it cannot be accidentally, or intentionally, moved out of the legal jurisdiction under which it should be
  • Many ITDMs (49%) admit not always conducting security audits of the storage locations their data processing and storage partners use

Failing to Encrypt Data

An average 20% of the companies surveyed lack continuous encryption for personally identifiable information across their cloud and on-premises servers, despite appropriate levels of encryption and anonymization being a requirement for GDPR compliance.  Encryption also acts as a last line of defense in the event of a data breach, making data illegible when in the hands of unauthorized parties.

Continuous encryption can be complicated to implement in modern environments where infrastructure and data span both cloud and on-premises servers. Where companies lack strict security and encryption management for technologies such as virtual machines and hyper-converged infrastructure, uncontrolled data sprawl can be common, leading to silos of hidden data, and a fragmentation of governance, that leaves companies non-compliant, and at risk of heavy fines.

Poor Data Breach Monitoring

When a data breach occurs, speed is the key element in responding to on-going attacks, but also to controlling the spread and abuse of data by cybercriminals.  GDPR requires companies to report data breaches to the relevant regional authority within 72 hours of discovery, yet 41% of ITDMs believe they could not achieve this today.

Perhaps more worrying is that many companies lack the tools that will identify a breach ever occurred or the data taken:

  • 33% lack confidence and 6% have no confidence, that their systems would automatically identify a breach triggered by an external source.
  • For internal breaches, 34% lack confidence and 6% have no confidence, that their systems would automatically identify a breach event.
  • Only half (55%) believe they can precisely identify the data exposed by a breach

“Whilst companies have made general improvements in their preparations for EU General Data Protection Regulation, the survey suggests that most will not be fully compliant with the regulation when it comes into force,” said Mark Hickman, Chief Operating Officer at WinMagic.  “Whilst many will have sought the necessary authorizations from EU Citizens to store their data and use it for marketing etc., they will lack the processes and protections demanded by the legislation to ensure compliance and protect personally identifiable information with which they have been entrusted.  Effective control and management of the IT infrastructure spanning on-premises and cloud service providers for security and specifically encryption, will be a critical component in meeting the legislative requirements and minimizing the risks to consumers.”

Tags
Show More

Niloy Banerjee

A generic movie-buff, passionate and professional with print journalism, serving editorial verticals on Technical and B2B segments, crude rover and writer on business happenings, spare time playing physical and digital forms of games; a love with philosophy is perennial as trying to archive pebbles from the ocean of literature. Lastly, a connoisseur in making and eating palatable cuisines.