The launch of the Global Data Protection Regulation (GDPR) in May 2018 puts security professionals into a unique position. For the first time in history, we can see the future of where our industry is headed and prepare for it. But, are companies fully embracing this opportunity?
To better understand U.S. companies’ overall awareness of, and preparedness to, address these new regulations, Experian Data Breach Resolution partnered with the Ponemon Institute to survey over 500 individuals in IT security and compliance. The resulting report – "Data Protection Risks & Regulation in the Global Economy" – uncovered several startling findings that indicate companies are not only not taking advantage of the lead time to prepare for the GDPR, they are also failing to understand the regulation and prioritize compliance.
The GDPR was formally adopted in early 2016. Since then security experts have worked to decode the regulation and understand exactly what steps companies should take in order to comply. However, despite most respondents (89 percent) reporting that the GDPR will significantly affect their data protection practices, only nine percent of organizations are ready to comply. This lack of preparedness was particularly resonant in organizations’ data breach notification practices, only 10 percent reported being able to notify within the GDPR’s allotted 72 hours, the rest reported much longer response times, with the most taking two to five months to notify.
What this tells us is that despite the attention focused on the GDPR, there are still steep barriers for companies looking to comply, including a lack of understanding of the regulation, a failure on the part of senior leadership to prioritize compliance and technology limitations.
Lack of understanding
While most organizations understand the GDPR is something they need to worry about, many aren’t sure what to do or where to begin. As I discussed in my April column, there is a sense of unease among security professionals since the exact execution of these regulations is unclear. While I have heard these sentiments numerous times, I was still startled to find that 59 percent of survey respondents admitted their organizations don’t understand what they need to do to comply with the GDPR. This lack of understanding was solidified by the fact that instead of adopting or updating compliance practices, 34 percent of respondents reported their companies were instead choosing to close overseas operations to “prepare” for the GDPR. This is an indication that many organizations do not fully understand the regulation. Companies will be required to comply with the GDPR regardless of having physical operations in Europe – all companies that collect or store data on European citizens will be subject to the rules.
Lack of Prioritization by C-suite
In the security world, the buzz around the GDPR seems to never end. But this constant chatter does not appear to have translated into attention from the C-suite. Even though 69 percent of the security experts surveyed felt non-compliance would hinder their companies’ ability to do business globally, only 30 percent said their organizations’ C-suite was fully aware of the company’s compliance status. Even more concerning, just 38 percent said their executives viewed global data regulations as a top priority.
This lack of prioritization is having serious impacts on organizations’ ability to prepare for the GDPR, from budgetary restrictions to a reluctance to make necessary organizational changes. Thirty-four percent reported that their team did not have enough money for appropriate security technology, and 37 percent lacked the budget to hire the needed staff to comply. These findings, along with the fact that 60 percent of respondents noted a reluctance to make the needed comprehensive changes in business practices, demonstrate a concerning lack of attention from senior executives. And the window to prepare ahead of time is rapidly closing.
Lack of Technology
Maintaining best-in-class security technology is an area that continually eludes countless organizations. As companies do move to prepare for the GDPR, many cited lacking the right technology as a top concern, impacting their ability to comply to the regulations. In fact, 49 percent reported that their security solutions were outdated and/or inadequate to cope with a global data breach. Additionally, just 40 percent of respondents felt confident their organizations’ security technologies would adequately protect information assets and IT infrastructures overseas. Before May 2018, companies must do a thorough assessment of their technological needs to ensure their IT team has the resources they need to handle even the most advanced attacks and emerging risks.
Getting a Jump Start on Regulations
While there is clearly room for improvement, the report also showed that some organizations are taking positive steps toward preparedness and compliance, and working to get ahead of the impending regulations. It is very encouraging that 41 percent of respondents noted their companies were taking actions to prepare, including:
- Seventy percent are conducting assessments of their ability to comply with regulations;
- Fifty-seven percent are investing in new technologies or services such as analytics and reporting, consents management and encryption; and,
- Fifty-five percent are appointing a data protection officer, as required by the GDPR.
However, many organizations could and should be doing more to prepare for a global data breach and comply with the GDPR. Global data breach risks continue to increase in number, scope and impact, and the potential loss of business and financial impact of a breach could prove catastrophic for affected companies.
In addition to taking the actions listed above, companies can prepare for the GDPR by investing in stronger governance, risk management and compliance (GRC) programs; further developing their security technologies (e.g. security analytics, SIEM, enterprise wide encryption, threat intelligence sharing platforms); recruiting and retaining knowledgeable personnel; purchasing cyber and data breach insurance; and, implementing programs that preserve customer trust and loyalty.
With less than a year to go until the GDPR takes effect, any company that conducts business internationally needs to act now to ensure it will be ready to deal with a global data breach when it occurs – or they will be found to suffer the consequences.
About the Author:
Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. He can be reached at michael.bruemmerSIW@experianinteractive.com.