Vast majority of firms fear impact of GDPR non-compliance
With now just over one year before the General Data Protection Regulation takes effect in Europe, the vast majority of organizations worldwide are concerned that a failure to adhere to the new regulations could have a major negative impact on their business.
According to a new global study by Veritas Technologies, 86 percent of organizations surveyed fear negative impacts from non-compliance with the GDPR. Nearly 20 percent said they fear that non-compliance could put them out of business.
“Intended to harmonize the governance of information that relates to individuals (personal data), across European member states, the GDPR requires greater oversight of where and how personal data – including credit card, banking and health information – is stored and transferred, and how access to it is policed and audited by organizations,” the study notes.
“GDPR, which takes effect on May 25, 2018, will not only affect companies within the EU, but extend globally, impacting any company that offers goods or services to EU residents, or monitors their behavior, for example, by tracking their buying habits,” the study continues.
More than 900 senior business leaders in Europe, the United States and Asia were surveyed for the study, and 47 percent expressed “major doubts” that they will meet the impending compliance deadline. Some (cited by 21 percent) expressed concern they will have to lay off workers as a result of financial penalties incurred by non-compliance.
Organizations are also worried about the impact that non-compliance could have on their brand image, especially if and when non-compliance is made public. The biggest concern here is over new regulations to notify customers affected by data breaches.
From a technology standpoint, many organizations expressed challenges in understanding what data they have, where that data is located and its relevance to the business. Nearly one-third (32 percent) said their current technology is unable to effectively manage their data. The ability to search, discover and review data is a criteria for GDPR compliance.
In addition, 39 percent or organizations say they cannot accurately identify and locate relevant data. This poses another compliance issues, since when requested, businesses must be able to provide individuals with a copy of their data, or delete it, within a 30 day time frame.
Finally, there is also widespread concern about data retention.
“More than 40 percent (42 percent) of organizations admitted that there is no mechanism in place to determine which data should be saved or deleted based on its value,” the study reveals. “Under GDPR companies can retain personal data if it is still being used for the purpose that was notified to the individual concerned when the data was collected, but must delete personal data when it is no longer needed for that purpose.”