Underlining the corporate world’s casual approach to securing the personal data of customers, fewer than one-fifth of all companies subject to new European Union privacy protection rules are confident they’ll be able to comply when those rules go into effect next month. They’ve had more than two years to prepare.
In mid-2016, the European Union enacted the Global Data Protection Regulation (GDPR). Any company that operates in the EU and collects any personal data automatically is subject to the regulation. That includes companies headquartered in North America and the Asia Pacific region.
The act created a single authority to oversee and manage GDPR. Organizations are obligated to take measures to protect personal data, monitor and update those mechanisms, and respond immediately should personal data be compromised. The regulation includes a provision for the right to be forgotten, a notion that has gained a little more prominence in the wake of the recent Facebook data breach.
Companies can be fined for violating the GDPR, up to €20 million ($24.7 million).
The rules go into effect May 25. According to a new survey from the Cloud Security Alliance, 83% of all companies subject to the law lack confidence they’ll be able to meet the deadline. The form for downloading the survey is here.
More than a quarter of all companies are barely aware of GDPR, if at all.
Netskope CEO Sanjay Beri said, "Alarmingly, 27% of survey respondents reported having little to no familiarity with the GDPR even with the deadline for compliance a little more than a month away. This holds serious implications for enterprises as well as their customers." Netskope, a company with expertise in cloud security, sponsored the survey, which covers companies from all over the world, representing a wide cross section of industries.
Beri continued: "With enforcement of the new regulation beginning in a matter of weeks, not months or years, and with serious monetary penalties at stake, security and privacy can no longer be an afterthought."
Aside from whether they can hit the deadline, nearly three quarters of the surveyed companies (72%) feel they’re either somewhat prepared or very prepared for GDPR, though only just over half (54%) have a well-defined or somewhat defined plan on how to do it. Fewer than half (45%) have actually begun putting their plans into action.
The survey notes the obvious, that there are costs to compliance, but it also asserts that the use of the technologies involved and the skills gained from using them will have long term advantages. It concludes that “GDPR is changing the level of awareness on customer data protection and increasing accountability on those collecting customer data. With the race to meet GDPR expectations upon us, companies are beginning to understand the requirements and impacts on their data supply chain.”