This article is part of our Essential Guide: Essential guide to the EU General Data Protection Regulation (GDPR)

Businesses underprepared for GDPR, study shows

Lack of consumer and regulatory understanding, combined with low technical and cultural preparedness, represents a major threat to revenue and brand value, according to a Symantec state of privacy report

An alarming 96% of companies still do not fully understand the European General Data Protection Regulation (GDPR), a survey has revealed.

As a result, 91% of 900 businesses and IT decision makers polled in the UK, France and Germany have concerns about their ability to become compliant by the time the GDPR comes into force on 25 May 2018, according to Symantec’s State of Privacy Report.

The report coincides with a call by the Payment Card Industry Security Standards Council (PCI SSC) for firms to act now to avoid exponentially increased penalties under new European Union (EU) data protection regulations. 

UK businesses could face up to £122bn in penalties for data breaches when new EU legislation comes into effect, the PCI SSC has warned.

The Symantec study also revealed only 22% of businesses consider compliance a top priority in the next two years, despite only 26% of respondents believing their organisation is fully prepared for the GDPR.

“These findings show businesses are not only underprepared for the GDPR, they are under preparing,” said Kevin Isaac, senior vice-president, Symantec.

“There is a significant disconnect between how important privacy and security is for consumers, and its priority for businesses. The good news is there’s still time to remedy the situation, but only if firms take immediate action,” he said.

Nearly a quarter of those polled said their organisation will not be compliant at all, or will be only partly compliant, by 2018.

Of this group, only a fifth believe it is even possible to become fully compliant with the GDPR, with nearly half believing that while some company departments will be able to comply, but others will not.

This stark lack of confidence in meeting the May 2018 deadline leaves businesses at risk of incurring significant fines, the report said.

A consumer disconnect

While businesses grapple to become compliant, they remain out of touch with consumer expectations when it comes to data privacy and security.

Nearly three-quarters of businesses do not think an organisation’s privacy track record is a top three consideration for customers when choosing who to do business with, despite customers asking about data security in more than a third of transactions.

Equally concerning, the report said, is the finding that 35% of respondents do not believe their organisation takes an ethical approach to securing and protecting data. 

These results show there is a significant disconnect with consumer priorities, the report said, with 88% of European consumers regarding data security as the most important factor when choosing a company with which to do business. In fact, 86% consider it more important than product quality.

Unsurprisingly, the study found that 55% of businesses are not confident they completely meet customers’ data security expectations.

Cultural preparedness 

The study also found many businesses have not started working out the necessary organisational and cultural changes they need to make ahead of May 2018.

Some 9% of businesses admitted that all employees are able to access customers’ personal information, while 6% admitted that all staff can access customers’ payment details. Only 14% believe everyone in the organisation has a responsibility to ensure data is protected.

With such wide-reaching access to people’s personal information, businesses are underestimating the challenges they will face in managing this in line with the GDPR, the report said.

Under half of those surveyed said managing data ethically is a top priority for their organisation, and less than half again said they would be increasing security training. Only 27% of businesses polled said they are planning to overhaul their approach to security in response to the GDPR.

Technical readiness

The majority of respondents (91%) have concerns about the ability of their organisation to comply with the GDPR, due to factors such as the complexity of processing data correctly in time and costs involved.

Only 28% of IT and business decision makers realise the right to be forgotten is part of GDPR, while 90% of businesses say customers requesting their data be deleted will be a challenge for their organisation.

Only 9% of respondents have already received requests to be forgotten, but 81% believe their customers would exercise their right for data to be deleted, and 60% of businesses do not currently have a system in place that enables them to respond to these requests.

“Businesses should recognise that privacy, security and compliance with GDPR are extremely important brand differentiators,” said Kevin Isaac.

“Businesses’ response to the GDPR should become a core element of organisational design and culture. Adopting a fragmented, piecemeal approach as part of a tick box exercise will create more problems than it solves,” he said.

Peter Gooch, cyber risk partner at Deloitte, said the ability of companies to navigate the GDPR successfully hinges on their willingness to embrace privacy by design.

“They must also understand that good security and privacy processes can provide a substantial competitive advantage and be a driver in gaining consumer trust, in addition to being driven by regulatory requirements,” he said.

Udo Helmbrecht, executive director of the EU cyber security agency Enisa, said, given the fundamental importance of the GDPR in shaping the future EU digital environment, the agency welcomes the findings the publication of the Symantec report.

“Enisa welcomes initiatives such as this, which increase our understanding of the implementation challenges that need to be met to reach the goals we have set ourselves,” he said.

Read more about the GDPR

Read more on Privacy and data protection