With just a year and a half before the new EU data protection regulation goes into effect, companies that will...
be expected to comply appear to be largely unprepared and even uninformed about the new rules.
The online survey, conducted for Dell by Dimensional Research, included responses from 821 IT and business professionals responsible for data privacy at companies across the U.S., U.K., Canada, Asia Pacific, Germany, Sweden, Benelux, France, Italy, Spain and Poland, all of which have at least 10% of their customer base in Europe.
According to the research, global firms have a long way to go to learn what the General Data Protection Regulation (GDPR) entails and how they're going to comply with it by the time it takes effect in May 2018. Only 31% of respondents were confident they were prepared for GDPR compliance, while 37% admitted their firms were not ready, leaving 32% with no idea of whether or not their firms were prepared. Only 3% said their companies had plans in place to be ready for the new regulation, though that may seem extreme as 37% reported they were still working on their plan and 27% were trying to determine who needs to be involved in GDPR planning. The remaining third of respondents said their company had not even begun to plan for the change.
Michael Tweddle, senior director of outbound product management at Dell One Identity, told SearchSecurity while survey respondents were aware that failure to achieve GDPR compliance "could have some impact to their organization, they were really unclear as to the extent of what the impact could be."
As for awareness about GDPR, the Dell survey uncovered a deep vein of ignorance: Eighteen percent of those surveyed said they had never heard of GDPR, and 31% said they "knew something was going on but don't know any details." Only 4% claimed to be very knowledgeable about GDPR.
GDPR is the EU's new rule of law for protecting the personal data of EU residents -- whether the data resides inside the EU or not; meaning companies doing business with individuals in the EU are expected to protect personal data, even if the collecting organization is located entirely outside of the EU.
"All organizations within the EU are covered by this," Tweddle said, noting that "the only exception is for companies that have less than 250 employees; those are exempt.
"Whenever there is a data breach or data risk, there can be significant fines to the organizations that are bound by GDPR to really protect that information. There are a lot of security-related things that surround this and we're seeing a lot of interest over in Europe, but also interest in the United States, because if there are companies in the United States that are doing business in Europe, they are obligated to protect this personal information as well," Tweddle said.
Stephen Cobb, senior security researcher at ESET, told SearchSecurity, "European companies are taking the GDPR very seriously already, and there is probably a high level of GDPR-related activity at the 50 or so largest U.S. firms, but I think you would find awareness dropping off fast as you look to the broader spectrum of U.S. firms outside the top 500 or so." Cobb also pointed to a survey conducted by Vanson Bourne for Compuware earlier this year that found 52% of U.S. companies hold data on EU citizens, making them subject to GDPR compliance, yet 60% don't yet have systems in place to comply.
The penalties for GDPR compliance failure can be significant, as noted on the EU GDPR web portal: "Under GDPR, organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater)." However, that is the maximum fine specified by GDPR and would only be imposed for the most serious infringements, such as "not having sufficient customer consent to process data or violating the core of Privacy by Design concepts."
Find out more about the effects of the EU General Data Protection Regulation.
Learn about the key role information security professionals have in GDPR compliance.
Read an attorney's analysis of the EU General Data Protection Regulation.