With just over one month before the European Union’s General Data Protection Regulation (GDPR) goes live, surveys continue to suggest that a large number of organisations are either struggling with compliance or underestimate the impact.
When GDPR comes into force on 25 May 2018, organisations that store or process personal data of EU citizens will face challenging data protection and privacy requirements. Failure to comply can result in fines of up to EUR 20 million or 4% of global annual revenue, whichever is higher.
GDPR introduces a mandatory notification regime – organisations will have just 72 hours to notify the regulator of a data breach - as well as other requirements, such as the need to prepare a data breach response plan. The regulations also introduce increased rights for data owners that could make litigation more likely and costly.
Despite the immensity of potential penalties, surveys consistently show that around half of companies at best are confident in their ability to comply with GDPR. Many organisations are either unaware of the regulations, underestimate its implications or are finding the task technically challenging.
A survey of some 3,000 companies in 10 countries by Forrester Research found that only one third of companies are ready for GDPR. Forrester said only 26% of firms based in Europe believe that they are compliant while another 22% expect to be compliant within eight months.
Even among those firms that believe they are complaint, many will not have done all the work required. Forrester said that many companies are overstating their readiness.
Another survey in February from US consultancy Senzing found an “alarming” picture of GDPR readiness across major EU economies. The survey of over 1,000 companies in the UK, Germany, France, Spain and Italy found that 60% are not GDPR ready while 44% are concerned about their ability to comply with GDPR.
Senzing also found that a large number of companies do not understand the consequences of non-compliance, with a large proportion stating that there would be no, or limited, impact both from a financial penalty and brand reputation perspective.
In the UK, initial findings of a survey by the Department for Digital, Culture, Media and Sport (DCMS) found that less than half of businesses are even aware of GDPR. Awareness was particularly low in the construction and manufacturing sectors.
Of those that are aware of the new rules, just over a quarter have made changes to their operations and just under a half of businesses have altered cyber security practices, including creating or improving cyber security procedures, hiring new staff and installing or updating anti-virus software.
Similarly, a survey of 250 UK chief information and security officers by cyber security firm Bitdefender found that 26% would not be able to give a clear and concise description of GDPR and how their company has complied. Worryingly, 51% of chief information security officers surveyed by Bitdefender said that they would be tempted to risk non-compliance to offset a complex implementation process.
DCMS warned that there will be no regulatory ‘grace’ period, although organisations that self-report and engage with the regulator to resolve issues can expect this to be taken into account when the Information Commissioner’s Office (ICO) considers action. It is urging UK organisations to prepare and follow the ICO guidance and GDPR check-list.
The extraterritorial reach of GDPR means that non-EU firms that process data on European residents (for example, EU customers or employees) will also need to comply with the new regulations. However, many firms outside the EU are unaware of Europe’s new privacy rules.
According to a recent survey by software firm Sage, 84% of US companies do not understand what GDPR means for their business and 91% currently lack awareness around GDPR requirements.
Further, 74% of US companies told Sage that they are not confident that they will be compliant with the GDPR requirements by May 25. Separate research published in January from MediaPro shows more than half of US-based employees have never heard of GDPR.
Breaches involving US firms like Equifax and Uber in 2017, for instance, would have faced potentially large fines as these breaches affected the data of EU citizens. Non-compliance with breach notification is likely to result in hefty regulatory fines in future.
In a recent article in the RIMS Risk Management magazine, JLT Specialty Head of Cyber Sarah Stephens advised non-EU firms to assess whether they would fall under the remit of GDPR. Any contact with entities within the EU, whether they are selling into the EU or using EU data as part of global business operations, will inevitably have GDPR implications, she said.
AIDING AND ABETTING
On a separate note, GDPR could also attract the attention of cyber criminals, making cyber extortion more attractive and lucrative, according to Trend Micro. Cyber criminals could specifically target private data covered by the regulation and ask companies to pay an extortion fee rather than risk punitive fines, the cyber security firm said. GDPR could also lead to an increase in breach attempts and ransom demands, as well as be used as a social engineering tactic.
For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on firstname.lastname@example.org