Most firms will not be GDPR-ready by compliance deadline

Survey of IT decision-makers shows one-fifth of companies lack continuous encryption capabilities and only half have the systems required for the right to erasure and the right to rectification

This article can also be found in the Premium Editorial Download: Computer Weekly: GDPR is here – are you ready?

With just one month to go until the compliance deadline for the EU’s General Data Protection Regulation (GDPR), research data shows that many companies will not be ready in time.

Only 51% of companies polled say they have all the systems in place that will enable them to remove EU citizen data from servers on request, including back-ups, in accordance with Articles 16 and 17 of the GDPR. 

Worryingly, 21% do not yet have any systems in place to meet these requirements, according to a study published by data security company WinMagic.

Despite these statistics, 62% of more than 480 IT decision-makers polled in the UK, Germany, India and the US describe themselves as “confident” in the build-up, although one in five said they were “nervous”.

In many cases, the survey shows that companies lack the systems and processes to ensure compliance with the new legislation, which affects all companies holding and processing EU citizen data.

The GDPR requires organisations to have “appropriate technical and organisational measures” in place to safeguard personal data, as well as minimise data collection, processing and storage.  Non-compliance can lead to fines of up to €20m or 4% of turnover, whichever is greater.

Organisations found to be non-compliant could also face a range of other punitive actions from data protection authorities, including compulsory data protection audits, warnings, reprimands, enforcement notices and stop processing orders. They also risk the reputational damage that can occur from a data breach where non-compliance has heightened the risks for citizens.

Although 73% of survey respondents believe the GDPR will change the way their business will operate to meet compliance, there are three key areas where they will fail to meet the legislation’s requirements, the survey report said:

  • Data management delays: A quarter (25%) of respondents admitted that systems were only part implemented, and would not allow the automated removal of citizen data from back-ups. Just 48% of data is geo-fenced so that it cannot be accidentally, or intentionally, moved out of the legal jurisdiction under which it should be. And nearly half of respondents admit not always conducting security audits of the storage locations their data processing and storage partners use.
  • Failing to encrypt data: An average of 20% of the companies surveyed lack continuous encryption for personally identifiable information across their cloud and on-premise servers, despite appropriate levels of encryption and anonymisation being a requirement for GDPR compliance. Encryption also acts as a last line of defence in the event of a data breach, making data illegible when in the hands of unauthorised parties. The survey report notes that continuous encryption can be complicated to implement in modern environments, where infrastructure and data span both cloud and on-premise servers. Where companies lack strict security and encryption management for technologies such as virtual machines and hyper-converged infrastructure, uncontrolled data sprawl can be common, leading to silos of hidden data and a fragmentation of governance, which leaves companies non-compliant and at risk of heavy fines. 
  • Poor data breach monitoring: When a data breach occurs, the report said speed is the key element in responding to ongoing attacks, but also to controlling the spread and abuse of data by cyber criminals. The GDPR requires companies to report data breaches to the relevant data protection authority within 72 hours of discovery, yet 41% of respondents said they could not achieve this today. 

Also, many companies lack the tools that will identify whether a breach has ever occurred or the data taken. One-third of respondents said they lack confidence, and 6% have no confidence, that their systems would automatically identify a breach triggered by an external source. For internal breaches, 34% lack confidence and 6% have no confidence that their systems would automatically identify a breach event, and only 55% believe they can precisely identify the data exposed by a breach.

“While companies have made general improvements in their preparations for the GDPR, the survey suggests that most will not be fully compliant with the regulation when it comes into force,” said Mark Hickman, chief operating officer at WinMagic. 

“Although many have sought the necessary authorisations from EU citizens to store their data and use it for marketing and so on, they will lack the processes and protections demanded by the legislation to ensure compliance and protect personally identifiable information with which they have been entrusted. Effective control and management of the IT infrastructure spanning on-premise and cloud service providers for security, and specifically encryption, will be a critical component in meeting the legislative requirements and minimising the risks to consumers.”

Commenting on the fast-approaching GDPR compliance deadline, Tamzin Evershed, senior director and global privacy lead at Veritas Technologies, said that in recent months, companies have been striving to gain complete visibility and control of their data – including what information is stored, who owns it, who has access and how it is used.

“Implementing a holistic approach to achieve this will mean personal data can be stored, managed and used effectively and on demand,” said Evershed, adding that as the deadline approaches, it is “imperative” that businesses do not fall at the finishing line.

“Under the GDPR, any business that deals with the personal information of EU residents will need to not only be able to comply, but also to be able to demonstrate compliance with its requirements,” she said. “These requirements go far beyond data minimisation and consent, and successful companies will be creating an ecosystem of compliance that ensures GDPR-compliant data management throughout their organisations and on a global basis.”

Read more about the GDPR

Evershed also recommended instilling a culture of digital compliance and responsibility among employees to drive long-term change. 

Our research found that businesses are deploying new processes and policies and hoping to embed them into daily business practices using methods such as training and rewards to help employees understand the role they play in protecting their organisation’s data,” she said. 

“Companies that understand how to create opportunity from regulatory requirements will benefit significantly with their customers and suppliers. Whether it be through personalisation to improve customer service, or through the creation of information-centric business models that offer innovative services and new revenue streams, taking more time to better manage data and thinking ahead to get the right permissions from data subjects can be hugely beneficial.”

This approach is in line with that advocated by UK information commissioner Elizabeth Denham, who has repeatedly emphasised that the GDPR is about gaining and maintaining consumer trust, which is essential for the development and innovation of business using data.

However, not every organisation understands the importance of consumer trust, she told analytics and other data professionals at a DataIQ event in London in March. “But there are enough exemplar companies and leaders saying the same thing, so the message is definitely getting out there.”

This view is shared by Omer Tene, vice-president and chief knowledge officer for the International Association of Privacy Professionals. “Data privacy is increasingly a business issue, and we are seeing a growing emphasis in business on data management, data governance and data risk,” he told Computer Weekly.

Read more on Privacy and data protection