momius - stock.adobe.com
The supplier-produced survey of IT decision-maker attitudes to varying aspects of the enterprise cyber security landscape is a mainstay of security journalism, with topics ranging from phishing to botnets, malware and ransomware to cloud-native attacks, and of course the now perennially popular European Union (EU) General Data Protection Regulation (GDPR) legislation.
GDPR, which has now been in force for nearly 18 months, has already seen several large firms, most notably British Airways and the Marriott hotel chain, hit with substantial fines from the Information Commissioner’s Office (ICO), and in the past few weeks alone, multiple separate studies produced on behalf of companies such as Egress, ManageEngine and Capgemini have reported on the topic.
But it is abundantly clear from the most cursory reading of these surveys’ data that self-reported compliance levels are, generally speaking, variable.
Capgemini, for instance, said 28% of firms were compliant and 30% were close to being so. Egress, on the other hand, reported that 48% of decision-makers said they were compliant and 42% mostly so – a slightly more optimistic figure. However, its report also noted that for over 30% of respondents, compliance had slipped down the list of priorities since May 2018.
ManageEngine, meanwhile, said that 56% of small and medium-sized enterprises (SMEs) said they were fully compliant and 36% were working on it, compared with 70% of enterprises that reported compliance, and 28% that said it was a work in progress.
It also found that the number of companies that felt they were now compliant with the regulations was less than the number that said they were complaint before GDPR came in.
So what’s behind the differing statistics? Where does the truth lie? And what does GDPR compliance actually look like?
At a roundtable event convened by ManageEngine to mark the publication of its third annual State of IT in the UK 2019 report – which surveyed 400 decision-makers in both SMEs and enterprises during June 2019 – an expert panel of security and privacy specialists debated some of the firm’s findings relating to GDPR, and the first thing that became apparent was that there are no straight answers to any of those questions.
“GDPR is not always well defined in black and white – when you get into it, you realise there are different ways of interpreting and implementing it,” says Sridhar Iyengar, European managing director of ManageEngine’s parent, Zoho.
Ian Fish, chair of the British Computer Society’s (BCS) security and privacy executive, said: “You’ll get different answers because GDPR is not prescriptive in a lot of areas. It’s prescriptive about what you have to do, but the actual detail is not prescribed.”
But this might actually be a good thing, Fish added. “GDPR was written to try to future-proof itself a bit and that means being not prescriptive. It’s perhaps an example for how other areas of the law might keep up with advancing technology.”
Independent analyst Bob Tarzey agreed, saying: “GDPR is not a prescriptive regulation, so you can’t comply with it per se, but you can try to ensure your business processes are compliant with the expectations of the regulation.”
Giles Watkins, UK country lead for the International Association of Privacy Professionals (IAPP), said a core problem that explains how different people envisage compliance relates to how they approach the regulations to begin with.
“There are three bubbles – privacy, identity and security,” he said. “People think these are the same thing, but they are not. There’s strong overlap, but they are very different disciplines.”
Watkins explained that privacy, to begin with, came out of the legal profession and was integrated into IT, while security began within the IT world, and identity sits somewhere between the two, as a result of the interaction of humans with IT.
“That means you get different answers if you ask an IT person, a lawyer or someone in charge of customer service whether they are GDPR compliant,” he said. “You get incredibly different answers. I think that’s part of what’s behind that, who you are asking.”
Happily, it also appears that those responding to these surveys are answering the questions honestly, at least to the best of their ability. The IAPP recently conducted its own survey on security governance, working alongside consultancy EY, in which 43% of respondents said they were only “moderately” compliant with GDPR, and Watkins said he was actually pleasantly surprised at how candid most people were about their readiness, particularly CISOs and other security professionals whose jobs are on the line if their employer is breached.
“The truth of it is that organisations have probably figured out what they need to do and they are comfortable that they have a plan,” said Watkins.
Read more about GDPR compliance
- Over half of UK businesses do not yet appear to be fully GDPR-compliant, and many have de-prioritised their compliance efforts.
- Mathieu Gorge, CEO of Vigitrust, looks at technologies such as pseudonymisation that can help organisations stay GDPR-compliant while gaining value from analytics on customer data.
- The General Data Protection Regulation is over a year old now, but it faces challenges across Europe where compliance has taken place at different speeds.
But he added that a proper plan for GDPR compliance will take years to implement because it is multifaceted – some of it is about internal change, some of it is about standardisation, some about data audit, some about retiring legacy systems – and these are not things that can happen overnight.
The upshot of this? Security professionals should not necessarily panic when they see stories about GDPR compliance.
Actually, said Watkins, it is highly unlikely that any business will ever be able to reach a point at which it can say for sure that it even is GDPR compliant. Why should this be? It relates to how data has been managed in enterprises up to now.
“The number one hardest task when complying with GDPR is locating unstructured data,” he said. “Do we know what we’ve got and where it is?”
The answer to this question is “not fully”, said Watkins, because of a multitude of factors, such as legacy systems that don’t talk to each other, multiple sites with different backups, and shadow IT installations holding data that nobody ever knew existed for sure.
In fact, this was also one of the takeaways from Capgemini’s survey data, which showed that one-third of enterprises rate legacy equipment as their biggest GDPR challenge.
Although there are tools that can search these data repositories and find exactly what enterprises do have, they are by no means perfect, and there is still a lot of manual sifting to do, said Watkins.
“That’s ongoing and it changes all the time, it has to be constantly updated, it’s not a one-off-exercise,” he said. “What that means is you need a lot of resources to do GDPR, and a lot of resource needs to stay there.
“That’s the expensive bit. A lot of people pay consultants to do a lot of those projects and say they’re compliant, but the moment they are compliant, they start to fall out of compliance and it’s maintaining that, that is the real challenge.”
Watkins added: “I’d be very surprised if any organisation is fully compliant, but do they understand what they need to do and are they confident they are on the right path? Those figures are higher.”
A positive future for GDPR
Indeed, the IAPP’s numbers seem to suggest that investment around GDPR is starting to flatten – although it remains high – as security professionals grow more confident that they have got their heads around the key points and developed a workable action plan.
It is also important to note that there is some anecdotal evidence to suggest that internally, the ICO is taking the position that it doesn’t really expect everybody’s GDPR compliance to be watertight, but if it sees evidence of a plan, and progress towards a goal, it will be less minded to impose the maximum 4% of turnover fine if a business is breached because, despite its best efforts, it was unlucky. Complacency, on the other hand, will be punished.
Kevin Duffy, co-chair of cyber and convergence at the Security Institute, the UK’s largest professional membership body for security practitioners, and managing director of reputation management firm Cyber Rescue, said he sees evidence that GDPR is stimulating cultural change within organisations, and for that reason has the potential to be enormously effective.
“When I was a kid, there was cultural change because a law came in saying my parents had to tell me to put a seatbelt on,” he said. “I feel like all of us now, every time we get in the car, whether it was the law or not, we’d put a seatbelt on.
“GDPR is helping businesses see that they’ve got shadow IT and data that’s all at risk, they could get fined 4% of turnover, their reputation could get slammed.
“If the culture changes then every time a business introduces a new platform or service, then eventually it goes, oh, shall we put our seatbelt on?”