Businesses underprepared for GDPR

data protect

Today, it has been revealed that 96 per cent of companies still do not fully understand the European General Data Protection Regulation (GDPR), despite it coming into effect in May 2018.

The results of a new survey, which was conducted through interviews with 900 business and IT decision makers across the UK, France and Germany, shows 91 per cent of respondents have concerns about their ability to become compliant. The study also revealed only 22 per cent of businesses consider compliance a top priority in the next two years, despite only 26 per cent of respondents believing their organisation is fully prepared for the GDPR.

“These findings show businesses are not only underprepared for the GDPR – they are underpreparing,” said Kevin Isaac, senior vice president, Symantec. “There is a significant disconnect between how important privacy and security is for consumers, and its priority for businesses. The good news is there’s still time to remedy the situation – if firms take immediate action.”

Lack of regulatory awareness

Of those surveyed, nearly a quarter said their organisation will not be compliant at all, or will be only partly compliant, by 2018. Of this group, only a fifth believe it is even possible to become fully compliant with the GDPR, with nearly half believing that while some company departments will be able to comply, others will not. This stark lack of confidence in meeting the May 2018 deadline leaves businesses at risk of incurring significant fines.

A consumer disconnect

While businesses grapple to become compliant, they remain out of touch with consumer expectations when it comes to data privacy and security. Nearly three quarters of businesses do not think an organisation’s privacy track record is a top three consideration for customers when choosing who to do business with, despite customers asking about data security in more than a third of transactions.

Equally concerning is the finding that 35 per cent of respondents do not believe their organisation takes an ethical approach to securing and protecting data.

These results show there is a significant disconnect with consumer priorities. A report found 88 per cent of European consumers see data security as the most important factor when choosing a company with which to do business. In fact, 86 per cent consider it more important than product quality.

Cultural preparedness 

The study also found many businesses have not started working out the necessary organisational and cultural changes they need to make ahead of May 2018. Almost one in 10 say all employees can access customers’ personal information and six per cent say all staff can access customers’ payment details. However, only 14 per cent believe everyone in the organisation has a responsibility to ensure data is protected.

With such wide-reaching access to people’s personal information, businesses are underestimating the challenges they will face in managing this in line with the GDPR.

Less than half of those surveyed said managing data ethically is a top priority for their organisation, and less than half again said they would be increasing security training. Only 27 per cent of businesses are planning to completely overhaul their approach to security in response to the GDPR.

Technical readiness & the right to be forgotten

91 per cent of respondents have concerns about their organisations ability to comply with the GDPR, due to factors such as the complexity of processing data correctly, in time, and costs involved. Only 28 per cent of IT and business decision makers realise the right to be forgotten is part of GDPR and 90 per cent of businesses say customers requesting their data be deleted will be a challenge for their organisation. Only nine percent of respondents have already received requests to be forgotten.

Following on, 81 per cent of respondents believe their customers would exercise their right for data to be deleted, however, 60 per cent of businesses do not currently have a system in place that enables them to respond to these requests.

“Businesses should recognise that privacy, security and compliance with GDPR are extremely important brand differentiators,” said Kevin Isaac, Senior Vice President, Symantec, “Businesses’ response to the GDPR should become a core element of organisational design and culture. Adopting a fragmented, piecemeal approach as part of a tick box exercise will create more problems than it solves”.

Peter Gooch, cyber risk partner, Deloitte, comments: “Whether companies will successfully navigate the GDPR regulation hinges on their willingness to embrace privacy by design. They must also understand that good security and privacy processes can provide a substantial competitive advantage and be a driver in gaining consumer trust, in addition to being driven by regulatory requirements.”

Prof. Dr. Udo Helmbrecht, Executive Director, The European Union Agency for Network and Information Security (ENISA) comments: “Given the fundamental importance of the General Data Protection Regulation (GDPR) in shaping the EU digital environment of tomorrow, the European Union Agency for Network and Information Security (ENISA) welcomes initiatives such as this, which increase our understanding of the implementation challenges that need to be met in order to reach the goals we have set ourselves.