Businesses failing to understand GDPR compliance status

With less than a year to go before the General Data Protection Regulation compliance deadline, many businesses are floundering, while others are embracing data-centric security to fast-track compliance

A recent poll of 900 business decision-makers around the world indicates that 31% believe their organisations are compliant with the EU General Data Protection Regulation (GDPR).

But most are mistaken, according to Veritas, which commissioned the independent poll by Vanson Bourne at companies that do business with the EU in the UK, US, France, Germany, Australia, Singapore, Japan and the Republic of Korea.

According to the survey report, an analysis of the data by experts found that only 2% of respondents actually appear to be compliant, which suggests that almost all the organisations polled are not ready, despite almost one-third believing they are.

The GDPR requires organisations to ensure appropriate technological protection and organisational measures to be able to establish immediately whether a personal data breach has taken place.

Yet almost half (48%) of the respondents who stated that their organisations are GDPR compliant admit they do not have full visibility of the personal data they hold.

Without full visibility, organisations cannot ensure that a breach is reported to the supervisory authority within 72 hours, and inform the individual affected without undue delay – as mandated by GDPR, the report said.

More than 60% of respondents who said they are ready for GDPR admit it is difficult for their organisation to identify and report a personal data breach within 72 hours, but failure to do this could be classified as a major violation of the GDPR and result in a fine of up to 4% of annual revenue or €20m, whichever is greater, the report said.

The survey also showed that half of respondents who say their company is compliant admit that former employees can still access company data.

With this type of uncontrolled access, the report said many organisations are putting confidential information into the hands of people who should not have it, which would infringe GDPR compliance.

Almost half (49%) of respondents who say they are GDPR compliant believe their organisation’s cloud service provider (CSP) is solely responsible for the GDPR compliance of their data stored in the cloud, but this belief is false, the report points out.

Continue reading…