Most Organizations Lack Systems and Processes to Ensure GDPR Compliance, Survey Shows

May 7, 2018

With less than a month left until the May 25 GDPR deadline, many targeted companies risk non-compliance.

When the EU confirmed plans to implement the General Data Protection Regulation (GDPR), organizations had more than a year to make the changes needed to ensure compliance. Few took the wrath of the GDPR seriously when the clock started ticking. Now, with less than a month left until the May 25 GDPR deadline, many risk non-compliance.

A survey of 482 IT decision makers sponsored by WinMagic and conducted by Viga in March 2018 in the United Kingdom, Germany, India and the United States reveals that most targeted businesses won’t be ready to fully tackle the GDPR when the regulation goes in full swing this month.

Only 51% of respondents say they have the necessary systems in place to remove EU citizens’ data from servers upon request, in accordance with Article 17 of GDPR (The Right to Erasure). Further, 21% don’t have any systems in place to honor such a request from EU citizens whose personally identifiable information they collect, process and transfer between parties.

“In many cases, companies lack the systems and processes to ensure compliance with the new legislation, which affects all companies holding and processing EU citizen data. They must have ‘appropriate technical and organizational measures’ in place to safeguard personal data, as well as minimize data collection, processing and storage,” the report states.

Targeted entities found non-compliant past the May 25 deadline risk penalties of up to 4% their annual turnover, or up to €20 million.

“This is far outweighed by the reputational damage that can occur from a data breach where non-compliance has heightened the risks for citizens,” according to the surveyors. If the Equifax incident last year is any indication, the reputational aspect is indeed the bigger issue.

The report further reveals that 73% of respondents see the GDPR as a game changer, in that it mandates an overhaul of the business from a legal perspective. For many decision makers interviewed, key areas of compliance are already causing alarm. These include data management delays, lack of continuous encryption for personally identifiable information across their cloud and on-premises servers, and poor data breach monitoring: “When a data breach occurs, speed is the key element in responding to on-going attacks, but also to controlling the spread and abuse of data by cybercriminals.”

As avid readers know, the GDPR requires targeted entities to report breaches within 72 hours of discovering the incident. In their own words, 41% of those surveyed could not achieve this today.

“Perhaps more worrying is that many companies lack the tools that will identify a breach ever occurred or the data taken,” the report notes.

Earlier this month, a Bitdefender whitepaper outlined the advantages of having the necessary systems in place to detect potential external cyber-attacks and stop them before they unfold.

A key solution that can help is endpoint detection and response (EDR), a technology designed to detect, report, quarantine and neutralize a breach at every stage of the unfolding attack. A sound EDR solution should feature a single-agent/single-console architecture, reducing the effort to deploy and effectively manage the security of endpoint infrastructure.

Filip Truta is an experienced writer with over a decade of practice in the technology realm. He has covered a wide range of topics in such industries as gaming, software, hardware, and security, and has worked in various B2B and B2C marketing roles.