Study finds global firms ill-prepared for upcoming EU data regulations

General Data Protection Regulation, coming May 25, 2018, affects any firm that does business in the EU and imposes colossal fines for mismanagement of personal data

The EU’s General Data Protection Regulation aims to harmonize data privacy and protection mandates across the union’s 28 member states. PHOTO: Pixabay

MOUNTAIN VIEW, Calif.—A study from California-based data management firm Veritas Technologies LLC has found that organizations across the globe mistakenly believe they are in compliance with the upcoming General Data Protection Regulation (GDPR) coming out of the European Union.

The GDPR aims to harmonize data privacy and protection mandates across the EU’s 28 member states, and it requires organizations to implement specific protection measures and processes to effectively manage personal data.

This regulation will take effect on May 25, 2018 and will apply to any organization—inside or outside the EU—that offers goods or services to EU residents or collects data on EU residents for marketing purposes.

Not complying with the new regulations can result in incredibly stiff penalties. Breaching the GDPR carries a maximum fine of up to four per cent of a firm’s global annual turnover or 20 million euro (roughly CA$29.5 million), whichever is greater.

With potentially business-ending implications at stake and Vertias’ research illustrating a lack of knowledge about the regulation in the global business community, there is certainly cause for concern.

According to Veritas’ 2017 GDPR Report, 31 per cent of respondents said that their firm already conforms to the legislation’s key requirements. However, when those same respondents were asked about specific GDPR provisions, most provided answers that show they are unlikely to be in compliance.

Veritas says that only two per cent of respondents actually appear to be in compliance.

The report finds that 48 per cent of organizations who stated they are compliant do not have full visibility over personal data loss incidents.

In addition, 61 per cent of the same group admitted that it is difficult for their organization to identify and report a personal data breach within 72 hours of awareness—a mandatory GDPR requirement where there is a risk to data subjects.

Any organization that is unable to report the loss or theft of personal data—such as medical records, email addresses and passwords—to the proper supervisory body within this timeframe is breaking with this requirement and vulnerable to an exorbitant fine.

Veritas says that many firms may need to revisit their compliance strategies.

Understanding Firm Responsibilities

One way to ensure compliance is by restricting former employee access to corporate data and deleting their systems credentials. Veritas says this can help stem malicious activity and ensure that financial loss and reputational damage are avoided.

However, 50 per cent of firms that believe they are compliant said former employees are still able to access internal data.

Another important element of the GDPR is that it enshrines the right of EU residents to request the removal of their personal data from an organization’s databases—”the right to be forgotten”.

That said, of the organizations that think they are GDPR-ready, 18 per cent admitted that personal data cannot be purged or modified in their organizations. A further 13 per cent said that they do not have the capability to search and analyze personal data to uncover explicit or implicit references to an individual, and they are unable to accurately visualize where their data is stored.

Vertias says firms must ensure that personal data is only used for the reasons it was collected and is deleted when it’s no longer needed.

The firm also says there is a common misunderstanding among organizations regarding the responsibility of data held in cloud environments.

49 per cent of supposedly compliant companies consider it the sole responsibility of their cloud service providers (CSP) to ensure data compliance in the cloud, when, in fact, the responsibility lies with the organization to ensure that the CSP provides sufficient GDPR guarantees—confusion that could have serious repercussions once the regulation is enacted.

“The GDPR dictates that multi-national corporations take data management seriously. However, the latest findings show confusion over what’s needed to comply with the regulation’s mandatory provisions. With the implementation date looming ever closer, these misconceptions need to be eradicated fast,” said Mike Palmer, executive vice president and chief product officer, Veritas.

Palmer continued, “With regulations like the GDPR you have to understand what data you have in your organization. But you must also know how to take action on it and how to classify it so that policy can be applied accordingly. These are the fundamentals of compliance and the findings today should be used to educate businesses about the mistaken beliefs that could put an organization out of business.”