Global organisations do not know where customer data is stored and use unreliable data removal methods to erase content, a study shows
Locating customer data is likely to be the biggest challenge to fulfilling personal data erasure requests under the EU’s General Data Protection Regulation (GDPR).
From 25 May 2018, any organisation holding EU citizens’ personal data will be required to erase that data at the request of the data subject.
However, most organisations struggle to identify where all their customer data is stored, according to the EU GDPR: Countdown to compliance study by the Blancco Technology Group, which polled 750 corporate IT professionals in the UK, US, France, Germany and Spain.
One in five French organisations admitted having a low level of confidence in their ability to find all customer data on-premise and off-premise.
This was slightly better in Germany, where 15% of organisations admitted they do not know where all customer data is stored, followed by the US (13%) and the UK (12%).
Ironically, the “right to be forgotten” (data erasure) tops the list of GDPR priorities, alongside keeping a record of data processing activities and the GDPR’s requirement of breach notification within 72 hours.
Insufficient budgets, improper handling and storage of IT equipment, and lack of data removal software were cited as the biggest roadblocks to fulfilling data erasure requirements.
The study found that insecure and unreliable data removal methods undermine security and compliance, with basic deletion used by IT professionals in France (34%), the US (28%), Spain (26%), the UK (24%) and Germany (23%).