With just one month until the new EU General Data Protection Regulation (GDPR) comes into force, data security company WinMagic has released the findings of research that suggests many companies will not be ready when it takes effect on May 25, 2018. 62% of IT decision makers (ITDMs) surveyed describe themselves as “confident” in the build-up, with 1 in 5 (18%) saying they are nervous.
Only half (51%) of companies say they have all the systems in place that will allow them to remove EU citizen data from servers upon the request, including back-ups, in accordance with Articles 16 and 17 of GDPR. Worryingly, a fifth (21%) do not yet have any systems in place.
In many cases, companies lack the systems and processes to ensure compliance with the new legislation which affects all companies holding and processing EU citizen data. They must have “appropriate technical and organizational measures” in place to safeguard personal data, as well as minimize data collection, processing and storage. Non-compliance can lead to fines of €20 million or 4% of turnover, but this is far outweighed by the reputational damage that can occur from a data breach where non-compliance has heightened the risks for citizens.
While 73% believe GDPR will change the way their business will operate to meet compliance, there are a number of key areas where they will fail to meet the requirements of the legislation:
- A quarter (25%) admitted that systems were only part implemented, and would not allow the automated removal of citizen data from back-ups
- Just 48% of data is geo-fenced so that it cannot be accidentally, or intentionally, moved out of the legal jurisdiction under which it should be
- Many ITDMs (49%) admit not always conducting security audits of the storage locations their data processing and storage partners use
Failing to Encrypt Data
An average 20% of the companies surveyed lack continuous encryption for personally identifiable information across their cloud and on-premises servers, despite appropriate levels of encryption and anonymization being a requirement for GDPR compliance. Encryption also acts as a last line of defense in the event of a data breach, making data illegible when in the hands of unauthorized parties.
Continuous encryption can be complicated to implement in modern environments where infrastructure and data span both cloud and on-premises servers. Where companies lack strict security and encryption management for technologies such as virtual machines and hyper-converged infrastructure, uncontrolled data sprawl can be common, leading to silos of hidden data, and a fragmentation of governance, that leaves companies non-compliant, and at risk of heavy fines.
Poor Data-Breach Monitoring
When a data breach occurs, speed is the key element in responding to ongoing attacks, but also to controlling the spread and abuse of data by cybercriminals. GDPR requires companies to report data breaches to the relevant regional authority within 72 hours of discovery, yet 41% of ITDMs believe they could not achieve this today. Perhaps more worrying is that many companies lack the tools that will identify a breach ever occurred or the data taken:
- 33% lack confidence and 6% have no confidence that their systems would automatically identify a breach triggered by an external source.
- For internal breaches, 34% lack confidence and 6% have no confidence that their systems would automatically identify a breach event.
- Only half (55%) believe they can precisely identify the data exposed by a breach
“While companies have made general improvements in their preparations for EU General Data Protection Regulation, the survey suggests that most will not be fully compliant with the regulation when it comes into force,” said Mark Hickman, Chief Operating Officer at WinMagic. “While many will have sought the necessary authorizations from EU citizens to store their data and use it for marketing etc., they will lack the processes and protections demanded by the legislation to ensure compliance and protect personally identifiable information with which they have been entrusted. Effective control and management of the IT infrastructure spanning on-premises and cloud service providers for security and specifically encryption, will be a critical component in meeting the legislative requirements and minimizing the risks to consumers.”