grandeduc - Fotolia

Finding customer data is big hurdle to meeting GDPR right to erasure

Global organisations do not know where customer data is stored and use unreliable data removal methods to erase content, a study shows

Locating customer data is likely to be the biggest challenge to fulfilling personal data erasure requests under the EU’s General Data Protection Regulation (GDPR).

From 25 May 2018, any organisation holding EU citizens’ personal data will be required to erase that data at the request of the data subject.

However, most organisations struggle to identify where all their customer data is stored, according to the EU GDPR: Countdown to compliance study by the Blancco Technology Group, which polled 750 corporate IT professionals in the UK, US, France, Germany and Spain.

One in five French organisations admitted having a low level of confidence in their ability to find all customer data on-premise and off-premise.

This was slightly better in Germany, where 15% of organisations admitted they do not know where all customer data is stored, followed by the US (13%) and the UK (12%).

Ironically, the “right to be forgotten” (data erasure) tops the list of GDPR priorities, alongside keeping a record of data processing activities and the GDPR’s requirement of breach notification within 72 hours.

Insufficient budgets, improper handling and storage of IT equipment, and lack of data removal software were cited as the biggest roadblocks to fulfilling data erasure requirements.

The study found that insecure and unreliable data removal methods undermine security and compliance, with basic deletion used by IT professionals in France (34%), the US (28%), Spain (26%), the UK (24%) and Germany (23%).

Free data wiping tools without proof of erasure are used by organisations in Spain (35%), the UK (33%), Germany (27%), the US (25%) and France (21%).

“If organisations cannot find their customers’ data, it will be impossible for them to comply with the GDPR’s requirement to erase data,” said Richard Stiennon, chief strategy officer for the Blancco Technology Group.

“Once they do finally locate their customers’ data, the next step is erasing the data permanently so that it can never be recovered. But, as our study reveals, it’s quite common for organisations to use insecure and unreliable data removal methods, such as basic deletion and free data wiping software, which further undermines their security and compliance with the GDPR,” he said.

Counting the cost of GDPR compliance

Many organisations plan to increase their data security spending to ensure they are not left unprepared and vulnerable to non-compliance. The amount of spending will vary across different geographic regions, however, with French, Spanish and German companies apparently willing to spend more than their US and UK counterparts.

The study shows that 85% of Spanish companies will spend up to $3.99m, while 77% of French companies and 73% of German companies will spend the same amount, compared with just 69% of UK companies and 65% of US firms.

The study noted that 8% of UK firms plan to spend nothing to prepare for GDPR compliance, compared with 2% in the US, France and Spain, and 3% in Germany.

The study ascribes this higher proportion of UK firms not planning to spend anything on GDPR compliance in part to the belief that UK firms will not be held accountable to the legislation as a result of Brexit.

Since that is not the case, the study said UK organisations cannot afford to be complacent and must allocate the necessary budgets to ensure compliance and avoid fines.

Although US companies do not plan to spend as much money as their European counterparts, the study said it was still a positive sign that 65% plan to spend up to $3.99m to comply with EU GDPR.

Even though US firms are not located in the EU, the study’s findings suggest that a significant portion of them collect and store data for European citizens, which makes them accountable to the EU GDPR requirements.

Keeping track of customer data

According to the study, data protection officers (DPOs) are uncommon and costly additions, with 59% of US firms and 53% in the UK most likely to assign the responsibilities of a DPO to an existing role. In Germany, however, 40% of companies plan to hire a dedicated DPO, while 16% of French companies plan to outsource the role to a consultant.

Another key finding of the study is that change begins with a data protection gap analysis, with 41% of US organisations currently undergoing a gap analysis and 43% of UK firms planning to start the process in the second half of 2017.

Half of Spanish organisations polled will do so in the second half of 2017, but 14% of the French respondents and 14% of the German respondents will wait until 2018.

“The first priority for all companies should be to gain a complete picture of all data that is collected, stored or processed that contains EU citizen information,” said Stiennon.

“After that, companies must ensure that adequate means of protecting that data have been implemented, such as access being restricted to authorised personnel, proper authentication being used and proper procedures for backing up and archiving data and data sanitisation policies being implemented to remove data when it is no longer needed or requested by customers.

“In addition, any third parties that have access to the data must be evaluated to ensure they too have adequate controls in place,” he said.

Read more about GDPR

CW+

Features

Enjoy the benefits of CW+ membership, learn more and join.

Read more on Privacy and data protection

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

This sounds like one big advertisement of the Blancco group, which make and sell software to securely erase data.

Unless I'm mistaken, there isn't a clear statement in the GDPR about what deletion measures are sufficient. The GDPR is not about IT-systems, but about personal data - regardless of the way the data is stored.

For example: If you have personal details about someone on paper and these should be deleted (right to be forgotten), then which measures are sufficient?

  1. Throw it in the bin
  2. Shred the paper
  3. Burn the paper
  4. Burn and crush 

Although option 4 is the most secure way, is the GDPR really obliging you to go that far? I don't think so.

Cancel

-ADS BY GOOGLE

SearchCIO

SearchSecurity

SearchNetworking

SearchDataCenter

SearchDataManagement

Close