Story image

Bring on the fines: Survey finds most companies won’t be ready for GDPR

26 Apr 2018

One month to go until the new EU General Data Protection Regulation (GDPR) legislation comes into force and it looks as though most companies won’t be ready.

WinMagic today released the findings of research that shows only 51 percent of companies say they have all the systems in place that will allow them remove EU citizen data from servers upon request - including backups - in accordance with GDPR.

What is concerning is the 21 percent of businesses that still don’t have any systems in place.

WinMagic says in many cases companies lack the systems and process required to ensure compliance with the new legislation that affects all companies around the world holding and processing EU citizen data. Non-compliance can lead to fines of €20 million or 4 percent of turnover, not to mention the catastrophic reputational damage that can occur from a data breach where non-compliance has heightened the risks for citizens.

“Whilst companies have made general improvements in their preparations for EU General Data Protection Regulation, the survey suggests that most will not be fully compliant with the regulation when it comes into force,” says WinMagic chief operating officer Mark Hickman.

73 percent of businesses believe GDPR will change the way their business will operate to meet compliance, however, WinMagic says there are a number of key areas where they will fail to meet the requirements of the legislation:

  • 25 percent admitted that systems were only part implemented, and would not allow the automated removal of citizen data from back-ups
  • Just 48 percent of data is geo-fenced so that it cannot be accidentally, or intentionally, moved out of the legal jurisdiction under which it should be
  • 49 percent of ITDMs admit not always conducting security audits of the storage locations their data processing and storage partners use

Another problem uncovered by the research is the failure to encrypt data, with 20 percent of companies lacking continuous encryption for personally identifiable information across their cloud and on-premises servers, despite appropriate levels of encryption and anonymisation being a requirement for GDPR compliance.

WinMagic says continuous encryption can be complicated to implement in modern environments where infrastructure and data span both cloud and on-premises servers, leading to hidden data and a fragmentation of governance that leaves companies non-compliant and at risk of heavy fines.

If a data breach occurs, it’s all about how fast businesses can respond to control the spread and abuse of data by cybercriminals. GDPR requires companies to report data breaches to the relevant regional authority within 72 hours of discovery, yet 41 percent of ITDMs believe they could not achieve this today.

WinMagic says that perhaps more concerning is that many companies lack the tools that will identify a breach ever occurred or the data taken:

  • 33 percent lack confidence and 6 percent have no confidence that their systems would automatically identify a breach triggered by an external source.
  • For internal breaches, 34 percent lack confidence and 6 percent have no confidence that their systems would automatically identify a breach event.
  • Just 55 percent believe they can precisely identify the data exposed by a breach.

“Whilst many will have sought the necessary authorisations from EU Citizens to store their data and use it for marketing etc., they will lack the processes and protections demanded by the legislation to ensure compliance and protect personally identifiable information with which they have been entrusted,” says Hickman.

“Effective control and management of the IT infrastructure spanning on-premises and cloud service providers for security and specifically encryption, will be a critical component in meeting the legislative requirements and minimising the risks to consumers.”

Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
Facebook fights fake news ahead of Africa elections
“We also show related articles from fact-checkers for more context and notify users if a story they have shared is rated as false.”
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.