momius - stock.adobe.com
More than a year since the compliance deadline for the European Union’s General Data Protection Regulation (GDPR), and as regulators begin to announce the first significant fines for GDPR infringements, 30% of European firms polled are not confident their business is compliant.
Only 57% of respondents were confident their businesses comply with GDPR rules, while a further 13% were unsure, according to a survey conducted by the European Business Awards on behalf of audit, tax and consulting firm RSM.
A separate survey by data virtualisation platform Delphix found that some companies in the UK were leading their CEO to believe they are compliant with GDPR, when in fact they have significant amounts of unprotected personal data in test environments.
This was revealed when Delphix spoke to 50 custodians of data to hear what they had to say about the challenge of balancing access to data with data security.
A key finding that emerged was that many businesses were either unaware or unperturbed by the non-compliance of data used to test systems under development.
Perhaps even more shocking was a chief information security officer (CISO) admitting to telling their CEO that the company was GDPR compliant, despite having terabytes of unprotected personal data in non-production.
Delphix’s chief technology officer (CTO), Eric Shrock, said it was clear that the vast majority of top-level executives were unaware of how easily accessible their highly sensitive data was.
“Pair that with growing frustration among developers looking to acquire data quickly and we have the perfect recipe for disaster,” he said.
Businesses struggling to understand GDPR
The RSM survey revealed that mid-market businesses were struggling to understand and implement a whole range of areas covered by the regulation.
More than a third (38%) of non-compliant businesses do not understand when consent is required to hold and process data, 35% are unsure how they should monitor their employees’ use of personal data and 34% do not understand what procedures are required to ensure third-party supplier contracts are compliant.
Despite these problems and the resulting lack of compliance, the RSM survey showed that the GDPR is starting to have a positive impact on cyber security within the EU. Almost three-quarters (73%) of European businesses said GDPR has encouraged them to improve the way they manage customer data, while 62% said it has seen them increase their investment in cyber security.
However, the survey showed there remains much more to do, with 21% of businesses admitting they still have no cyber security strategy in place.
Another data protection survey by security firm CyberArk revealed that less than half of UK respondents (43%) are prepared for breach notification and investigation within the mandated 72-hour period under the GDPR.
At the same time, research from business process outsourcer Parseq found that two-thirds (67%) of IT and telecoms businesses in the UK have seen a rise in data access requests since the GDPR’s introduction, but 87% have faced challenges in responding effectively.
Complexity (58%) and cost (55%) were cited as the biggest challenges, while 40% said they were being hindered by a reliance on paper documentation. Only 6% of respondents digitised all documentation in the year prior to the GDPR’s introduction. This rose to 11% in the 12 months following.
“With so much pressure on organisations to meet complex requirements, we saw GDPR fatigue setting in last year,” said Steven Snaith, technology risk assurance partner at RSM UK.
“Middle-market businesses were overwhelmed by information from the press, industry bodies and stakeholders. Many organisations simply gave up and reverted back to the old way of doing things,” he said.
Steven Snaith, RSM UK
But, according to Snaith, there are signs that this fatigue is about to fade. “High-profile fines across Europe have demonstrated that regulators across the EU are serious about enforcement. Businesses are scrambling to catch up once again.
“One important aspect to note is that GDPR compliance is far wider than just policies, procedures and training. Underlying technology controls need to be robust to safeguard the leakage and unauthorised access of personal data,” he said.
Recognising benefits of GDPR
Jean Stephens, CEO of RSM International, said GDPR was complex and challenging, but “also an opportunity for businesses to differentiate themselves with their ability to respond and demonstrate their organisational agility”.
“By letting go of legacy systems and rethinking the way they interact with data, these more entrepreneurial businesses can become more appealing partners and more innovative competitors on the global stage,” he said.
Although 37% of respondents claimed that the cost of GDPR compliance had slowed growth and 28% claimed it had made it more difficult to work with non-European businesses, 73% said GDPR compliance had helped improve the management of customer data.
Other benefits include making the business more effective operationally (31%) and an increased sense of safety from cyber crime (51%).
GDPR compliance is also driving increased investment in cyber security (62%) and encouraging innovative uses of data (58%), the RSM survey showed.
These positive signs indicate that organisations are making concerted efforts to change the perception and use of data, according to Haroon Malik, director of cyber security consulting at Fujitsu.
“This process cannot happen overnight, but the GDPR is helping to cement a responsible attitude towards data and privacy across all industries,” he said.
Malik said while the fact that nearly a third of European firms are still not GDPR compliant was worrying, there was no need to panic.
“While some firms are still working to understand how GDPR is applied to their business model or industry, compared with five or six years ago, there’s been a real change in how companies use and process data.
“One year after GDPR came into force, businesses have become more mindful of how and why they collect and store data and are taking steps to process this in a lawful way,” he said.
Malik noted that many business owners can feel overwhelmed by the new laws. “This is why they will need time and support from both the community and regulators to make the best of GDPR,” he said.
Read more about GDPR and business
- A week after issuing the first serious GDPR fines, the Information Commissioner’s Office has further underlined the importance of data stewardship and due diligence regarding privacy practices.
- Organisations should see data protection and privacy compliance as an opportunity to build trust with customers, according to startup One.Thing.Less.
- GDPR for the CIO: Data protection is about more than GDPR compliance.
- Why Europe’s GDPR privacy regulation is good for business.