Story image

Bring on the fines: Survey finds most companies won’t be ready for GDPR

26 Apr 18

One month to go until the new EU General Data Protection Regulation (GDPR) legislation comes into force and it looks as though most companies won’t be ready.

WinMagic today released the findings of research that shows only 51 percent of companies say they have all the systems in place that will allow them remove EU citizen data from servers upon request - including backups - in accordance with GDPR.

What is concerning is the 21 percent of businesses that still don’t have any systems in place.

WinMagic says in many cases companies lack the systems and process required to ensure compliance with the new legislation that affects all companies around the world holding and processing EU citizen data. Non-compliance can lead to fines of €20 million or 4 percent of turnover, not to mention the catastrophic reputational damage that can occur from a data breach where non-compliance has heightened the risks for citizens.

“Whilst companies have made general improvements in their preparations for EU General Data Protection Regulation, the survey suggests that most will not be fully compliant with the regulation when it comes into force,” says WinMagic chief operating officer Mark Hickman.

73 percent of businesses believe GDPR will change the way their business will operate to meet compliance, however, WinMagic says there are a number of key areas where they will fail to meet the requirements of the legislation:

  • 25 percent admitted that systems were only part implemented, and would not allow the automated removal of citizen data from back-ups
  • Just 48 percent of data is geo-fenced so that it cannot be accidentally, or intentionally, moved out of the legal jurisdiction under which it should be
  • 49 percent of ITDMs admit not always conducting security audits of the storage locations their data processing and storage partners use

Another problem uncovered by the research is the failure to encrypt data, with 20 percent of companies lacking continuous encryption for personally identifiable information across their cloud and on-premises servers, despite appropriate levels of encryption and anonymisation being a requirement for GDPR compliance.

WinMagic says continuous encryption can be complicated to implement in modern environments where infrastructure and data span both cloud and on-premises servers, leading to hidden data and a fragmentation of governance that leaves companies non-compliant and at risk of heavy fines.

If a data breach occurs, it’s all about how fast businesses can respond to control the spread and abuse of data by cybercriminals. GDPR requires companies to report data breaches to the relevant regional authority within 72 hours of discovery, yet 41 percent of ITDMs believe they could not achieve this today.

WinMagic says that perhaps more concerning is that many companies lack the tools that will identify a breach ever occurred or the data taken:

  • 33 percent lack confidence and 6 percent have no confidence that their systems would automatically identify a breach triggered by an external source.
  • For internal breaches, 34 percent lack confidence and 6 percent have no confidence that their systems would automatically identify a breach event.
  • Just 55 percent believe they can precisely identify the data exposed by a breach.

“Whilst many will have sought the necessary authorisations from EU Citizens to store their data and use it for marketing etc., they will lack the processes and protections demanded by the legislation to ensure compliance and protect personally identifiable information with which they have been entrusted,” says Hickman.

“Effective control and management of the IT infrastructure spanning on-premises and cloud service providers for security and specifically encryption, will be a critical component in meeting the legislative requirements and minimising the risks to consumers.”

AlgoSec delivers native security management for Azure Firewall
AlgoSec’s new solution will allow a central management capability for Azure Firewall, Microsoft's new cloud-native firewall-as-a-service.
How to configure your firewall for maximum effectiveness
ManageEngine offers some firewall best practices that can help security admins handle the conundrum of speed vs security.
Exclusive: Why botnets will swarm IoT devices
“What if these nodes were able to make autonomous decisions with minimal supervision, use their collective intelligence to solve problems?”
Why you should leverage a next-gen firewall platform
Through full lifecycle-based threat detection and prevention, organisations are able to manage the entire threat lifecycle without adding additional solutions.
The quid pro quo in the IoT age
Consumer consciousness around data privacy, security and stewardship has increased tenfold in recent years, forcing businesses to make customer privacy a business imperative.
ForeScout acquires OT security company SecurityMatters for US$113mil
Recent cyberattacks, such as WannaCry, NotPetya and Triton, demonstrated how vulnerable OT networks can result in significant business disruption and financial loss.
'DerpTrolling’ faces jail time for Sony DoS attacks
A United States federal court has charged a 23-year-old man for the hacks on Sony Online Entertainment and other major companies back in 2014.
Dropbox strengthens security with raft of new partnerships
Integrations will keep customer content protected and secure with tools for controlling identity access, governing data, and managing devices.