Given the level of scope involved with complying with the General Data Protection Rule (GDPR) that is now being put into effect by the European Union, it should not come as much of surprise that most organizations have missed the May 25th deadline to one degree or another.
A report published this week by Crowd Research Partners suggests that 60 percent of organizations are at risk of missing the GDPR deadline. Only seven percent of the organizations surveyed organizations say they are in full compliance with GDPR requirements today. Just over a third (33%) say they are well on their way to compliance, which suggests there is still much work to be done.
In fact, the report also finds approximately a third of surveyed companies report that they will need to make substantial changes to data security practices and systems to achieve compliance with GDPR. The new EU rule says that when a breach of security occurs it should be reported to the supervisory authority within 72 hours. If the security breach also is likely to result in a high privacy risk for individuals, those individuals should also be informed. Exactly how the severity of a breach will be determined, however, remains a little fuzzy. It’s up to the organization impacted to make that determination. But regulators are clearly signaling they will evaluate that decision should the disclosure of a breach come from another source. Many organizations would be well advised opt to err on the side of financial caution by disclosing more breaches; even though the costs associated with that activity remain substantial.
The highest ranked initiative for achieving GDPR compliance is still creating an inventory of user data and then mapping that data to protected GDPR categories (71%). Once that work is finished organizations that need to evaluate, develop, and integrate solutions that enable GDPR compliance, which in many cases includes updating cybersecurity policies.
Alas, the report suggests many organizations are still conflicted when it comes to GDPR. A full 80 percent say GDPR is a top priority for their organization. But only half say they are knowledgeable about the data privacy legislation or have deep expertise. Another quarter 25%) say they have no or only very limited knowledge of the new regulation. The primary compliance challenges are lack of expert staff (43%), closely followed by lack of budget (40%) and a limited understanding of GDPR regulations (31%). The impact of that lack of knowledge is already being seen. Several prominent news sites based in the U.S. served notices to readers in Europe that would not be able to access content until further notice. Apparently, some organizations decided that blocking access to citizens in Europe is the better part of valor given both the costs involved and the size of potential GDPR fines that can reach as high as four percent of worldwide revenue.
The good news is a majority (56%) expect their organization’s data governance budget to increase to deal with GDPR challenges. Of course, that also implies 44 percent don’t. A lot of the work associated with achieving GDP compliance will probably fall to managed service providers (MSPs) that have developed GDPR expertise.
Much of the GDPR work inside organizations is being spearheaded by chief financial officers (CFOs) working closely with IT teams to update applications that contain personally identifiable information (PII). But cybersecurity professionals might want to more aggressively insert themselves within those efforts given the GDPR breach disclosure requirements. This wouldn’t be the first-time cybersecurity concerns were overlooked in the rush to meet a deadline. The trouble is that the cost of ignoring those issues may soon prove to be a lot more prohibitive than most anyone just yet fully appreciates.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.