grandeduc - Fotolia

Finding customer data is big hurdle to meeting GDPR right to erasure

Global organisations do not know where customer data is stored and use unreliable data removal methods to erase content, a study shows

Locating customer data is likely to be the biggest challenge to fulfilling personal data erasure requests under the EU’s General Data Protection Regulation (GDPR).

From 25 May 2018, any organisation holding EU citizens’ personal data will be required to erase that data at the request of the data subject.

However, most organisations struggle to identify where all their customer data is stored, according to the EU GDPR: Countdown to compliance study by the Blancco Technology Group, which polled 750 corporate IT professionals in the UK, US, France, Germany and Spain.

One in five French organisations admitted having a low level of confidence in their ability to find all customer data on-premise and off-premise.

This was slightly better in Germany, where 15% of organisations admitted they do not know where all customer data is stored, followed by the US (13%) and the UK (12%).

Ironically, the “right to be forgotten” (data erasure) tops the list of GDPR priorities, alongside keeping a record of data processing activities and the GDPR’s requirement of breach notification within 72 hours.

Insufficient budgets, improper handling and storage of IT equipment, and lack of data removal software were cited as the biggest roadblocks to fulfilling data erasure requirements.

The study found that insecure and unreliable data removal methods undermine security and compliance, with basic deletion used by IT professionals in France (34%), the US (28%), Spain (26%), the UK (24%) and Germany (23%).

Free data wiping tools without proof of erasure are used by organisations in Spain (35%), the UK (33%), Germany (27%), the US (25%) and France (21%).

“If organisations cannot find their customers’ data, it will be impossible for them to comply with the GDPR’s requirement to erase data,” said Richard Stiennon, chief strategy officer for the Blancco Technology Group.

“Once they do finally locate their customers’ data, the next step is erasing the data permanently so that it can never be recovered. But, as our study reveals, it’s quite common for organisations to use insecure and unreliable data removal methods, such as basic deletion and free data wiping software, which further undermines their security and compliance with the GDPR,” he said.

Counting the cost of GDPR compliance

Many organisations plan to increase their data security spending to ensure they are not left unprepared and vulnerable to non-compliance. The amount of spending will vary across different geographic regions, however, with French, Spanish and German companies apparently willing to spend more than their US and UK counterparts.

The study shows that 85% of Spanish companies will spend up to $3.99m, while 77% of French companies and 73% of German companies will spend the same amount, compared with just 69% of UK companies and 65% of US firms.

The study noted that 8% of UK firms plan to spend nothing to prepare for GDPR compliance, compared with 2% in the US, France and Spain, and 3% in Germany.

The study ascribes this higher proportion of UK firms not planning to spend anything on GDPR compliance in part to the belief that UK firms will not be held accountable to the legislation as a result of Brexit.

Since that is not the case, the study said UK organisations cannot afford to be complacent and must allocate the necessary budgets to ensure compliance and avoid fines.

Although US companies do not plan to spend as much money as their European counterparts, the study said it was still a positive sign that 65% plan to spend up to $3.99m to comply with EU GDPR.

Even though US firms are not located in the EU, the study’s findings suggest that a significant portion of them collect and store data for European citizens, which makes them accountable to the EU GDPR requirements.

Keeping track of customer data

According to the study, data protection officers (DPOs) are uncommon and costly additions, with 59% of US firms and 53% in the UK most likely to assign the responsibilities of a DPO to an existing role. In Germany, however, 40% of companies plan to hire a dedicated DPO, while 16% of French companies plan to outsource the role to a consultant.

Another key finding of the study is that change begins with a data protection gap analysis, with 41% of US organisations currently undergoing a gap analysis and 43% of UK firms planning to start the process in the second half of 2017.

Half of Spanish organisations polled will do so in the second half of 2017, but 14% of the French respondents and 14% of the German respondents will wait until 2018.

“The first priority for all companies should be to gain a complete picture of all data that is collected, stored or processed that contains EU citizen information,” said Stiennon.

“After that, companies must ensure that adequate means of protecting that data have been implemented, such as access being restricted to authorised personnel, proper authentication being used and proper procedures for backing up and archiving data and data sanitisation policies being implemented to remove data when it is no longer needed or requested by customers.

“In addition, any third parties that have access to the data must be evaluated to ensure they too have adequate controls in place,” he said.

Read more about GDPR

  • Businesses dealing with EU citizens’ data urged to ensure they are on track to comply with the GDPR in less than 16 months, as the world marks Data Protection Day 2017.
  • The Information Commissioner’s Office sets out plans for publishing guidance on the EU General Data Protection Regulation (GDPR).
  • The Information Commissioner’s Office is to publish a revised timeline for the UK implementing the EU’s General Data Protection Regulation after Brexit.
  • Business demand for consumer identity management capability is growing to enable new business models and improve customer engagement.

Read more on Privacy and data protection

Data Center
Data Management