A growing number of organisations consider the GDPR to be an opportunity to improve the way they handle data privacy and security, while leaders are using it as an opportunity for full business transformation, a study shows
Nearly 60% of organisations view the EU’s General Data Protection Regulation (GDPR) positively, rather than as a compliance problem, a survey has revealed.
The study also revealed that the majority of companies are being more selective in the information they collect and manage, with 70% disposing of data ahead of the deadline for compliance, 78% reducing the number of people who have access to personal data, and 80% cutting down on the amount of personal data they collect and keep.
“The GDPR is having the positive effect of companies asking themselves whether they really need to keep the personal data they have collected and reviewing whether they should be collecting that data in the first place,” said Caleb Barlow, vice-president, threat intelligence, at IBM Security.
Protecting privacy and understanding what data they are collecting is of “paramount importance”, and it is “heart-warming” that 59% of those polled see GDPR as an opportunity to get their house in order, and “refreshing” that most companies are getting rid of all the data they do not need, he told Computer Weekly.
Historically, he said companies have tended to collect all the data they could, without really understanding whether they had a real purpose for it, but that resulted in huge stores of personal data.
“The GDPR is now forcing organisations to consider whether keeping that data is worth the risk of non-compliance and the risk of this data being exposed by a breach,” said Barlow.
“The GDPR is forcing organisations to consider whether keeping data is worth the risk of non-compliance and the risk of this data being exposed by a breach”
Caleb Barlow, IBM Security
Companies also see the GDPR as an opportunity to build trust with customers and help drive innovation, which is unsurprising in the light of a separate poll of 10,000 consumers, conducted by the Harris Poll on behalf of IBM, which found that only 20% of US consumers completely trust organisations they interact with to maintain the privacy of their data.
According to the poll by IBM’s Institute for Business Value (IBV), 76% of respondents said GDPR would enable more trusted relationships with data subjects, which would in turn create new business opportunities.
Despite this opportunity, only 36% expected to be fully compliant with GDPR by the 25 May compliance deadline.
“GDPR will be one of the biggest disruptive forces impacting business models across industries – and its reach extends far beyond the EU borders,” said Cindy Compert, CTO, data security and privacy, at IBM Security.
“The onset of GDPR also comes during a time of huge distrust amongst consumers toward businesses’ ability to protect their personal data. These factors together have created a perfect storm for companies to rethink their approach to data responsibility and begin to restore the trust needed in today’s data-driven economy,” she said.
Another key finding of the study was that 84% of respondents believe proof of GDPR compliance will be seen as a positive differentiator to the public.
“We have seen that consumers are less and less likely to work with companies that do not provide reasonable protection for personal data, and we expect to see a growing number of companies recognising that the way in which they maintain data, or better yet, don’t collect it and don’t hold on to it, to become a competitive differentiator,” said Barlow.
Read more about General Data Protection Regulation
The study found that the top challenges organisations are currently facing when it comes to GDPR compliance are finding personal data within their organisations (data discovery), ensuring the accuracy of the data they collect and store, and complying with rules for how data is analysed and shared.
Other areas for concern included cross-border data transfer and getting consent from data subjects, as less than half of respondents said they were prepared for these aspects of GDPR.
One key element of GDPR includes the requirement for companies to report data breaches to regulators within 72 hours. However, the study found that only 31% of companies have re-examined or modified their incident response plans to prepare for this requirement, representing a blind spot in companies’ overall approach to GDPR.
While challenges remain, the study shows that a significant sub-set of companies surveyed (22%) are using GDPR as a fully transformational business opportunity for how they approach data responsibility and management.
Of this “leaders” subset, 93% have modified their incident response processes, 79% said they were prepared for performing data discovery and ensuring data accuracy, and 74% said they were fully implementing security and privacy by design for new products and services.
