MOUNTAIN VIEW, CA — A recent study from cloud data management expert Veritas Technologies has found that organizations around the globe mistakenly believe they are compliant with the upcoming General Data Protection Regulation (GDPR) legislation being introduced by the European Union.
The GDPR is intended to harmonize data privacy and protection mandates across European Union (EU) member states and requires organizations to implement appropriate protection measures and processes to effectively govern personal data. Scheduled to take effect on May 25, 2018, the GDPR legislation will apply to any organization that offers goods or services to EU residents or monitors their behaviour, regardless of whether the organization is located inside or outside the EU.
Veritas commissioned independent technology market research specialist Vanson Bourne to undertake the research for the study. A total of 900 business decision makers were interviewed in February and March 2017 across the U.S., the U.K., France, Germany, Australia, Singapore, Japan and the Republic of Korea. Respondents were from organizations with at least 1,000 employees and that do at least some business with the EU.
According to findings from the Veritas 2017 GDPR Report, almost one-third (31%) of respondents said their enterprise already conforms to the legislation’s key requirements. However, when asked about specific GDPR provisions, most of those same respondents provided answers that indicated they are unlikely to be compliant. In fact, upon closer inspection, only 2% actually appear to be in compliance, Veritas said in a press release announcing the study’s findings.
In terms of being aware of personal data breaches affecting their organizations, almost half (48%) of the survey respondents who stated they are GDPR-compliant do not have full visibility over personal data loss incidents, the research showed. Furthermore, 61% of the same group admitted it is difficult for their organization to identify and report a personal data breach within 72 hours of awareness — a mandatory GDPR requirement where there is a risk to data subjects. Organizations that are unable to report the loss or theft of personal data, such as medical records, email addresses or passwords, to the supervisory body within the 72-hour timeframe are not in compliance with this key requirement of the GDPR legislation.
Organizations who fail to meet GDPR requirements could be hit with a hefty fine — up to 4% of global annual turnover or €20 million, whichever is greater, Veritas said.
Under the GDPR legislation, EU residents who wish to exercise “the right to be forgotten” principle will have the right to ask for the removal of their personal data from an organization’s databases. However, Veritas’s research shows many organizations that stated they are already GDPR-compliant will not be able to search, find and erase personal data.
Of the organizations that believe they are already GDPR-compliant, one-fifth (18%) admitted that personal data cannot be purged or modified. In addition, a further 13% conceded they do not have the capability to search and analyze personal data to uncover explicit and implicit references to an individual. They are also unable to accurately visualize where their data is stored, because their data sources and repositories are not clearly defined, Veritas said.
Another consideration for organizations is the former employee threat, Veritas said. Restricting former employee access to corporate data and deleting their systems credentials will help to guard against malicious activity and to ensure the avoidance of financial loss and reputational damage. Yet, a staggering 50% of so-called GDPR-compliant organizations who took part in the Veritas study said former employees are still able to access internal data. These findings highlight that even the most confident organizations struggle to control former employee access and are potentially susceptible to attacks, Veritas warned.
Veritas also found in its study there is a common misunderstanding among organizations regarding who is responsible for data stored in cloud environments. Almost half (49%) of the companies that believe they are GDPR-compliant consider it the sole responsibility of the cloud service provider to ensure data compliance in the cloud. In fact, the responsibility lies with the organization controlling the data to ensure the cloud service provider (acting as data processor) provides sufficient GDPR guarantees. This perceived false sense of protection could lead to serious repercussions once the GDPR legislation is enacted, Veritas said.
“The GDPR dictates that multinational corporations take data management seriously. However, the latest findings show confusion over what’s needed to comply with the regulation’s mandatory provisions. With the implementation data looming ever closer, these misconceptions need to be eradicated fast,” said Mike Palmer, executive vice-president and chief product officer for Veritas, in the press release.
“With regulations like the GDPR, you have to understand what data you have in your organization. But you must also know how to take action on it and how to classify it so that policy can be applied accordingly. These are the fundamentals of compliance and the findings today should be used to educate businesses about the mistaken beliefs that could put an organization out of business,” Palmer added.
