Most organizations slow to prepare for GDPR
With the General Data Protection Regulation scheduled to take effect in one year, two new studies reveal that most firms have not taken steps to comply with the new European data privacy and data security regulations.
Only 16 percent of organizations surveyed by Guidance Software are currently in advance planning for GDPR, and 24 percent say they will not be ready for the May 25, 2018 deadline. Large organizations tend to be further along in preparing for the new regulations, which includes the ability to identify the data records of European citizens and determine where that data is being processed.
In order to be compliant with GDPR an organization must meet several criteria. Failure to comply can result in significant fines. The top criteria are:
- Use or maintain policies and procedures for the anonymization and de-identification of personal data.
- Conduct a full audit of EU personal data manifestation.
- Use US cloud repositories implemented with EU encryption.
- Evaluate all third-party operational partners that access personal data transfers.
“With nearly five billion data records exposed in the past four years alone there is a clear trend toward stronger protection of consumer data, and GDPR is a major first step in that direction,” noted Anthone Di Bello, a senior director at Guidance Software. “This data suggests that many organizations are, on the whole, behind schedule for compliance. Security leaders must make GDPR a priority over the next year in order to avoid major financial penalties.”
Meanwhile, another survey from WinMagic which attempted to establish how current data policies at global organizations align with GDPR finds that there is still a great deal of preparatory work to do by many firms in order to avoid substantial non-compliance fines.
More than half of organizations surveyed (54 percent) could not say all personally identifiable information was protected through anonymizaton and encryption in all digital locations. Only half (52 percent) or organizations could report a data breach within 72 hours of discovery to authorities. Less than half (46 percent) said they could precisely identify the data that had been exposed in the event of a data breach.