Henrik Dolle - Fotolia
Only 15.7% of more than 200 UK and US companies polled are in the advanced planning stages of complying with the EU General Data Protection Regulation (GDPR).
Some 17.8% said they were in the moderate planning stages and 11% said they were only in the initial stages of implementing processes to ensure compliance, according to the survey by security firm Guidance Software.
But 24% of the organisations surveyed said they would not be ready by the 25 May 2018 deadline, and 30.6% said they had no timetable for being GDPR compliant, which could expose them to fines of up to €20m or 4% of their annual global turnover, whichever is greater.
Some 14.2% said they would divest EU operations instead of attempting to become compliant with the GDPR.
The survey revealed that bigger companies have made the most progress towards compliance. Some 43% of organisations with revenues of $1bn or more claimed to have processes in place already that can identify data records of any EU citizen and determine where that data is being processed, in comparison to just 26.8% of organisations with under $100m in sales.
The GDPR requires all organisations doing business in EU member countries to comply with new regulations governing the data privacy rights of EU citizens.
However, more than half of the companies surveyed have not yet begun to evaluate third-party products or developer processes to identify the data records of EU citizens.
When asked to prioritise the recruitment and training of a qualified data protection officer, 23.7% ranked it as a high priority, 18.1% said it was a medium priority, and 15.4% named it a low priority.
For all companies, the top three activities to becoming GDPR compliant are:
- Use and maintain policies and procedures for the anonymisation and de-identification of personal data (24.9%).
- Conduct a full audit of EU personal data manifestation (22.8%).
- Evaluate all third party operational partners that access personal data transfers (21.4%).
“With nearly five billion data records exposed in the past four years alone, there is a clear trend towards stronger protection of consumer data, and GDPR is a major first step in that direction,” said Anthony Di Bello, senior director, products, at Guidance Software.
“This data suggests that many organisations are, on the whole, behind schedule for compliance. Security leaders must make GDPR a priority over the next year to avoid major financial penalties,” he said.
To prepare for GDPR compliance, organisations are advised to:
- Understand and acknowledge the requirements of GDPR for each specific business.
- Conduct an internal audit to determine internal practices that need to change.
- Create an incident response plan, including testing and updating procedures.
- Identify gaps in technology.
- Appoint a qualified data protection officer (DPO).
- If there is not already a plan for GDPR compliance, start now.
Guidance Software also advises organisations to:
- Monitor efforts at EU level and in member states to prepare for enforcement of the GDPR.
- Establish familiarity with the supervising authority or authorities most relevant to operations.
- Monitor technical guidance and codes of conduct from relevant EU authorities.
- Establish where customer personal data is located, why it is used, and how long it is kept.
Read more about GDPR
- Businesses dealing with EU citizens’ data urged to ensure they are on track to comply with the GDPR in less than 16 months, as the world marks Data Protection Day 2017.
- The Information Commissioner’s Office sets out plans for publishing guidance on the EU General Data Protection Regulation (GDPR).
- The Information Commissioner’s Office is to publish a revised timeline for the UK implementing the EU’s General Data Protection Regulation after Brexit.
- Business demand for consumer identity management capability is growing to enable new business models and improve customer engagement.