One month to go until the new EU General Data Protection Regulation (GDPR) legislation comes into force and it looks as though most companies won't be ready.
WinMagic today released the findings of research that shows only 51 percent of companies say they have all the systems in place that will allow them remove EU citizen data from servers upon request - including backups - in accordance with GDPR.
What is concerning is the 21 percent of businesses that still don't have any systems in place.
WinMagic says in many cases companies lack the systems and process required to ensure compliance with the new legislation that affects all companies around the world holding and processing EU citizen data. Non-compliance can lead to fines of €20 million or 4 percent of turnover, not to mention the catastrophic reputational damage that can occur from a data breach where non-compliance has heightened the risks for citizens.
“Whilst companies have made general improvements in their preparations for EU General Data Protection Regulation, the survey suggests that most will not be fully compliant with the regulation when it comes into force,” says WinMagic chief operating officer Mark Hickman.
73 percent of businesses believe GDPR will change the way their business will operate to meet compliance, however, WinMagic says there are a number of key areas where they will fail to meet the requirements of the legislation:
- 25 percent admitted that systems were only part implemented, and would not allow the automated removal of citizen data from back-ups
- Just 48 percent of data is geo-fenced so that it cannot be accidentally, or intentionally, moved out of the legal jurisdiction under which it should be
- 49 percent of ITDMs admit not always conducting security audits of the storage locations their data processing and storage partners use
Another problem uncovered by the research is the failure to encrypt data, with 20 percent of companies lacking continuous encryption for personally identifiable information across their cloud and on-premises servers, despite appropriate levels of encryption and anonymisation being a requirement for GDPR compliance.
WinMagic says continuous encryption can be complicated to implement in modern environments where infrastructure and data span both cloud and on-premises servers, leading to hidden data and a fragmentation of governance that leaves companies non-compliant and at risk of heavy fines.
If a data breach occurs, it's all about how fast businesses can respond to control the spread and abuse of data by cybercriminals. GDPR requires companies to report data breaches to the relevant regional authority within 72 hours of discovery, yet 41 percent of ITDMs believe they could not achieve this today.
WinMagic says that perhaps more concerning is that many companies lack the tools that will identify a breach ever occurred or the data taken:
- 33 percent lack confidence and 6 percent have no confidence that their systems would automatically identify a breach triggered by an external source.
- For internal breaches, 34 percent lack confidence and 6 percent have no confidence that their systems would automatically identify a breach event.
- Just 55 percent believe they can precisely identify the data exposed by a breach.
“Whilst many will have sought the necessary authorisations from EU Citizens to store their data and use it for marketing etc., they will lack the processes and protections demanded by the legislation to ensure compliance and protect personally identifiable information with which they have been entrusted,” says Hickman.
“Effective control and management of the IT infrastructure spanning on-premises and cloud service providers for security and specifically encryption, will be a critical component in meeting the legislative requirements and minimising the risks to consumers.”