Approximately 60 percent of respondents in a new survey are in the dark about the sensitive and confidential content they hold within their data, and how it’s used or treated.
A new report from data protection firm AvePoint and cybersecurity think tank Centre for Information Policy Leadership (CIPL) published its 2nd annual Organizational Readiness for the European Union General Data Protection Regulation (GDPR) report, tracking GDPR implementation efforts of over 235 multinational organizations.
The GDPR establishes formal regulations around data protection for companies located in the European Union (EU) and organizations that have an EU presence. Penalties for non-compliance with the new rules can result in fines of up to 4 percent of annual global revenue or €20 million. This year’s GDPR assessment is pivotal, with the GDPR effective date less than two months away on May 25.
Companies and their data knowledge
The report underlines how knowledgeable organizations are about their data contents and the data lifecycle. The report shows that knowledge levels vary widely among different aspects of GDPR implementation.
Despite many companies’ unpreparedness, knowledge levels surrounding data security are increasing—two-thirds of organizations report they have internal breach notification procedures in place, and more than half report having a response plan and team in place.
“The report shows that companies are not where they need to be in terms of compliance efforts. GDPR merely exacerbates how much oversight is needed to enforce changes down to the individual level,” said AvePoint chief risk, privacy and information security officer Dana Simberkoff, in a news release. “The long road ahead is quickly becoming a short path as we approach the May 25, 2018 date. This assessment magnifies areas that need major improvement. Knowing where you are on the GDPR readiness scale is half the battle.”
Comprehensive programs and consent
Compared to the previous 2017 report, building and maintaining a comprehensive privacy compliance program remains one of the highest areas of impact on organizations on the road to GDPR compliance. More than half of respondents have committed additional budget to GDPR implementation, with increases ranging from hundreds of thousands of dollars to upwards of $50 million. Organizations report technology tools and software as the number one priority for GDPR focused budget spending.
Survey data shows that respondents still rely heavily on manual methods for building and maintaining inventories of their data processing. For example, 60 percent of organizations do not have any procedures in place to identify and tag data.
“GDPR implementation consists of multiple layers of complexity,” said Bojana Bellamy, CIPL president, in the release. “The survey reveals that while some progress has been made in preparation for 25 May 2018, there is more work to be done by organisations that will have to step up their implementation efforts across many key-change areas. Reviewing data management strategies, building new comprehensive compliance programs, and putting in place new systems, processes and procedures to facilitate the changes are crucial to successful GDPR implementation.”
Other key findings:
- More than a third of organizations have no framework or procedures in place to identify and classify risk to different individuals; an equal number are working on developing such a framework.
- Approximately 32 percent of organizations have committed additional staff to their GDPR implementation efforts, an increase from under a quarter as noted in the previous report.
- Over half of survey respondents have operations in the U.S.
To gauge GDPR compliance progress, visit the AvePoint Privacy Impact Assessment (APIA) System website.