General lack of awareness of GDPR
A global survey from Dell Technologies has found a general lack of awareness, among organisations large and small, regarding the upcoming EU General Data Protection Regulation (GDPR).
The survey found that organisations of all kinds for which the regulations will apply were unaware of the regulations, how to prepare for them, and the impact of non-compliance on data security and business outcomes.
The vast majority (82%) of global IT and business professionals responsible for data security, at both small to medium businesses (SMB) and enterprises, are concerned with GDPR compliance. Despite this widespread concern, respondents lack general awareness of GDPR, and are neither prepared for it now, nor expect to be when it goes into effect.
According to the survey of 821 qualified individuals in organisations that will have to comply with the regulations, more than 80% said they know few details or nothing about GDPR. Furthermore, less than one in three companies feel they are prepared for GDPR today.
Almost 70% of IT and business professionals say that they are either unprepared, or do not know if they are prepared, to meet GDPR today, with only a worrying 3% having a plan for readiness.
Respondents in Germany had the highest proportion of those that feel prepared for GDPR (44%), while respondents in Benelux (Belgium, the Netherlands, Luxembourg) feel least prepared at 26%. More than three quarters (75%) of respondents outside Europe say they are not, or don’t know if they are, prepared for GDPR.
Almost all companies (97%) do not have a plan in place when GDPR kicks off in 2018.
Scope and depth
“The European Union General Data Protection Regulation is the first update to European data protection laws since 1995,” said John Milburn, vice president and general manager, Dell One Identity Solutions, “when the Internet was in its infancy and the constantly evolving cyberthreats we know today did not exist.”
“This survey reinforces the global lack of general understanding of GDPR, the scope of the regulation, and what organisations need to do to avoid stringent penalties. Results also show that while some organisations ‘think’ they are prepared, they will be in for a rude awakening if they experience a breach or must face an audit and are subject to the consequences of non-compliance with GDPR.”
“Don’t put off early consideration of GDPR by the two-year implementation period,” warned Duncan Brown, IDC. “The scale, complexity, cost and business criticality of GDPR means that it will take (at least) two years for most companies to achieve full compliance. Most companies need to start now.”
The survey results show that while organisations realise failure to comply with GDPR will impact both data security and business outcomes, they are unclear as to the extent of change required, or the severity of penalties for non-compliance and how changes may affect the business.
Some 79% say they would not, or were not aware whether their organisation would face penalties in its approach to data privacy if GDPR had been in effect this past year.
Of the more than one in five (21%) respondents who said they would face a penalty if GDPR were in place today, more than a third (36%) think it would require only an easy remediation, or do not know the penalty. Nearly half believe they would face a moderate financial penalty or manageable remediation work. Furthermore, almost a quarter expect significant changes in current data security practices and technologies.
Dell offered some advice on the journey towards compliance, centred around a few key points.
Hire a data protection officer (DPO). A requirement for GDPR, the position can be full-time, or filled by an employee with other responsibilities or an outsourced agency. The good news is that a designated DPO can be used as a service, so some system integrators or resellers could offer this as a service to grow their businesses.
Deploy a firm access governance solution. The ability to govern access to applications that permit access to EU citizens’ personal data ‒ particularly unstructured data ‒ is a major factor in data security and GDPR compliance. Governance generally requires periodic review of access rights by line-of-business managers and attestation (or recertification) that the permissions align with their job roles and do not compromise data security.
Control access management. To satisfy GDPR, employees and contractors must have the correct access permission to do their jobs and nothing more. The right identity and access management technologies that facilitate this level of control include multi-factor authentication, secure remote access, risk-based/adaptive security, granular password management, and full control over privileged user credentials and activity.
Protect the perimeter. Deploy next-generation firewalls to reduce the network’s exposure to cyber threats, mitigate the risk of data leaks that could lead to a data breach resulting in stiff penalties assessed under GDPR, and deliver the forensic insight required to prove compliance and execute appropriate remediation following a breach.
Facilitate secure mobile access. Foster the secure flow of covered data while enabling employees to access the corporate applications and data they need in the way they prefer, and with the devices they choose. Enhance data security (while removing access obstructions) by combining identity components, device variables and temporal factors (time, location, etc.) to deliver an adaptive, risk-based approach that ensures the right access all the time, every time, while concurrently improving data protection and GDPR compliance.
Ensure email security. To fulfil GDPR requirements, achieve full control and visibility over email activity to mitigate the threat of phishing and other email-based attacks on protected information, while enabling the secure and compliant exchange of sensitive and confidential data.
“This new regulation provides uniform data protection rights across the EU, and, to be in compliance, both European organisations and those outside of Europe that do business there must adopt an adaptive, user-centric, layered security model approach around the tenets of prevent, detect, respond and predict,” said Patrick Sweeney, vice president, product management and marketing, Dell SonicWALL. “To be GDPR-compliant, they need security solutions that enable them to prevent attacks, detect a potentially dangerous presence in their networks, respond quickly to that threat, and analyse and report on the health of their networks in real time.”