sb-eu logo
Story image

Bring on the fines: Survey finds most companies won’t be ready for GDPR

26 Apr 2018

One month to go until the new EU General Data Protection Regulation (GDPR) legislation comes into force and it looks as though most companies won’t be ready.

WinMagic today released the findings of research that shows only 51 percent of companies say they have all the systems in place that will allow them remove EU citizen data from servers upon request - including backups - in accordance with GDPR.

What is concerning is the 21 percent of businesses that still don’t have any systems in place.

WinMagic says in many cases companies lack the systems and process required to ensure compliance with the new legislation that affects all companies around the world holding and processing EU citizen data. Non-compliance can lead to fines of €20 million or 4 percent of turnover, not to mention the catastrophic reputational damage that can occur from a data breach where non-compliance has heightened the risks for citizens.

“Whilst companies have made general improvements in their preparations for EU General Data Protection Regulation, the survey suggests that most will not be fully compliant with the regulation when it comes into force,” says WinMagic chief operating officer Mark Hickman.

73 percent of businesses believe GDPR will change the way their business will operate to meet compliance, however, WinMagic says there are a number of key areas where they will fail to meet the requirements of the legislation:

  • 25 percent admitted that systems were only part implemented, and would not allow the automated removal of citizen data from back-ups
  • Just 48 percent of data is geo-fenced so that it cannot be accidentally, or intentionally, moved out of the legal jurisdiction under which it should be
  • 49 percent of ITDMs admit not always conducting security audits of the storage locations their data processing and storage partners use

Another problem uncovered by the research is the failure to encrypt data, with 20 percent of companies lacking continuous encryption for personally identifiable information across their cloud and on-premises servers, despite appropriate levels of encryption and anonymisation being a requirement for GDPR compliance.

WinMagic says continuous encryption can be complicated to implement in modern environments where infrastructure and data span both cloud and on-premises servers, leading to hidden data and a fragmentation of governance that leaves companies non-compliant and at risk of heavy fines.

If a data breach occurs, it’s all about how fast businesses can respond to control the spread and abuse of data by cybercriminals. GDPR requires companies to report data breaches to the relevant regional authority within 72 hours of discovery, yet 41 percent of ITDMs believe they could not achieve this today.

WinMagic says that perhaps more concerning is that many companies lack the tools that will identify a breach ever occurred or the data taken:

  • 33 percent lack confidence and 6 percent have no confidence that their systems would automatically identify a breach triggered by an external source.
  • For internal breaches, 34 percent lack confidence and 6 percent have no confidence that their systems would automatically identify a breach event.
  • Just 55 percent believe they can precisely identify the data exposed by a breach.

“Whilst many will have sought the necessary authorisations from EU Citizens to store their data and use it for marketing etc., they will lack the processes and protections demanded by the legislation to ensure compliance and protect personally identifiable information with which they have been entrusted,” says Hickman.

“Effective control and management of the IT infrastructure spanning on-premises and cloud service providers for security and specifically encryption, will be a critical component in meeting the legislative requirements and minimising the risks to consumers.”

Story image
Remote staff overestimating knowledge of cybersecurity basics
‘Unconscious incompetence’ is one of the most difficult issues to identify and solve with security awareness training.More
Story image
Check Point acquires Odo Security to bolster remote security offering
The deal will integrate Odo’s remote access software with Check Point’s Inifinity architecture, bolstering the latter company’s remote security capabilities in a time where working and learning from home has become the norm, and looks to largely remain that way in the near future.More
Story image
Proofpoint enhances security awareness training platform
Available in Q4 2020, the platform will integrate more closely with Proofpoint’s best-in-class threat intelligence.More
Story image
Research: 61% of companies have suffered an insider attack in last 12 months
It comes as rapid migration to cloud and remote working and BYOD scenarios leave organisations increasingly vulnerable to insider attacks as a result of the upheaval caused by the COVID-19 pandemic.More
Story image
Misinformation on the rise, organisations consider how best to respond
The increase in misinformation and fake domains have left organisations perceiving the threat level to be ‘very significant’, with a third planning greater emphasis on their ability to respond in coming months.More
Story image
Gartner predicts 75% of CEOs to be liable for cyber-physical security incidents by 2024
The nature of CPSs means incidents can quickly lead to physical harm to people, destruction of property or environmental disasters – and Gartner’s new research indicates that these incidents will increase drastically in the next few years if the lack of spending on these assets continues.More