Veritas says GDPR looms, once more unto the (data) breach

Data engineering departments and their corresponding software application development shops have got the message regarding the upcoming General Data Protection Regulation (GDPR) by now, right?

Apparently not says Veritas Technologies, the data specialist firm that now chooses to style itself as the ‘multi-cloud data management’ firm.

Veritas claims to have uncovered what may be worrying ‘findings’ in its Veritas 2017 GDPR Report — although thirty-seven per cent of UK organisations claim to be ‘GDPR-ready’, Veritas estimates that only nine per cent of UK firms that believe they are prepared for the GDPR actually are.

When survey respondents were asked about specific GDPR provisions, most provided answers that show they are unlikely to be in compliance, states Vertias.

The implication, if this survey holds water, is that there is a widespread and distinct misunderstanding over regulation readiness.

 “With the EU’s General Data Protection Regulations (GDPR) less than one year away, organisations around the world are deeply concerned about the impact that information non-compliance can have on their brand and loyalty of their customers,” said Jason Tooley, VP for Northern Europe at Veritas.

Of 900+ global UK organisations polled: 

  • 45 per cent of organisations find it difficult to identify and report a data breach within 72 hours
  • 16 per cent admit that personal data cannot be purged or modified
  • Almost one-third, 32 per cent, believe that former employees still have access to internal data


The findings from the report show that almost half (48 per cent) of organisations who stated they are compliant do not have full visibility over personal data loss incidents. Moreover, 61 per cent of the same group admitted that it is difficult for their organisation to identify and report a personal data breach within 72 hours of awareness – a mandatory GDPR requirement where there is a risk to data subjects.

Any organisation that is unable to report the loss or theft of personal data – such as medical records, email addresses and passwords – to the supervisory body within this timeframe is breaking with this key requirement.

The developer responsibility 

As Veritas’ Tooley has openly suggested more education is needed on the tools, processes and policies to support information governance strategies that are required to comply with the GDPR requirements.

“Creating an automated, classification-based, policy-driven approach to GDPR is key to success and will enable organisations to accelerate their ability to meet the regulatory demands within the short timeframes available,” he said.

Developers should also know who holds the responsibility for data held in cloud environments before they embark upon their next cloud-driven deployment, rollout or enhancement.

Veritas asserts that almost half (49 per cent) of the companies that believe they comply with the GDPR consider it the sole responsibility of the cloud service provider (CSP) to ensure data compliance in the cloud.

“In fact, the responsibility lies with the data controller (the organisation) to ensure that the data processor (the CSP) provides sufficient GDPR guarantees. This perceived false sense of protection could lead to serious  repercussions once the GDPR is enacted,” said Veritas, in a press statement.

Failure to meet GDPR requirements could attract a fine of up to four percent of global annual turnover or €20 million, whichever is greater.