On 25 May 2018, the General Data Protection Regulation (GDPR) will come into effect globally. The new regulation is designed to strengthen and unify data protection for everyone within the European Union (EU).
With six months to go until GDPR comes into force, Proofpoint commissioned a benchmarking survey, polling 1,500 IT decision-makers from companies with 200 or more employees in the UK, France and Germany.
As organisations scramble to prepare for the impending deadline, many are arguably confused about what successful compliance means and many questions remain. What changes will have to be made to internal processes to comply? What technologies should companies leverage to ensure that the personal data of EU residents are protected? How can IT and security professionals embed ‘privacy by design’ into their development lifecycles?
Here are our key findings from the research:
• Data breaches are the new normal: the research shows that data breaches are significantly on the rise. More than a third (36%) of UK businesses suffered a data breach in the last two years and nearly a quarter (23%) suffered a data breach multiple times in the past 24 months. Looking ahead, France seems to have a heightened awareness of this new paradigm compared to its European counterparts with 78% of French IT decision makers considering their business is likely to suffer a data breach, with German respondents (46%) believing that they are the least likely to experience an EU personal data breach.
• Organisations may be less ready than they think: Proofpoint research found a disparity around which methods are being prioritised to ensure GDPR deadline compliance. More than half (56%) of respondents have a user awareness programme on data protection, 46 per cent have encryption for all personal EU data, and 49 per cent have implemented advanced security solutions to prevent data breaches. However, according to the findings, only half of respondents (50%) know (and have documented) what personal EU data their organisations currently hold. This demonstrates that whilst some businesses are implementing strategies and recognise the importance of GDPR compliance, they are still at a significant risk of non-compliance to the regulation because they cannot discover where EU personal data sits.
• GDPR compliance is not on the executive agenda: Many organisations are unclear about where ownership should fall. While the majority of organisations (74%) have a cross-departmental team in place to drive the business to GDPR compliance, only 26% of IT decision makers say their board of directors and business management are aware of and involved in their GDPR programme. Without executive buy-in and involvement, organisations will struggle to implement the changes required to meet compliance.
• Many organisations are bracing for the consequences of non-compliance: In our survey, 39% of businesses say they are financially prepared to cover the fines once GDPR is in effect. Some organisations have opted to transfer risk: 24% stated they have purchased cyber insurance in case of a breach. Cyber insurance can help cushion the cost of a breach but many insurance policies will not cover fines from non-compliance to the GDPR principles.
Developing a plan to comply with the new rules is critical for all organisations. Failure to do so could lead to unprecedented fines of up to 4% of annual global revenue or €20,000,000, whichever is higher. One thing is clear, though: organisations must act now to deploy people, process and technology controls that protect EU personal data. Privacy is increasingly seen as a business enabler. GDPR offers businesses a great opportunity to benefit from its implementation.
The full report ‘The Great GDPR Disconnect’ can be downloaded here.