Nearly 40% of Businesses Affected by the General Data Protection Regulation (GDPR) Aren’t Compliant

Nearly 40% of Businesses Affected by the General Data Protection Regulation (GDPR) Aren’t Compliant

7.26.2017 | by Dorie Phillips

Organizations Worldwide Race to Meet GDPR Security Standards before 2018 Deadline

The General Data Protection Regulation (GDPR) has been causing angst amongst IT compliance, data protection, and security professionals ever since its approval on April 14th, 2016. The GDPR has served as a catalyst for millions of dollars of investment to reach compliance by the ominous deadline of May 25th, 2018. In fact, a live countdown to the deadline can be found on the EU GDPR homepage, www.eugdpr.org, as if IT professionals affected by the regulation would forget when compliance becomes mandatory, and heavy fines kick in.

              In order to determine how companies are being affected by the regulation, RainKing Research has reached out to a variety of IT professionals in the US, Canada, and the UK. Their feedback has provided valuable insight into new investments and operational changes caused by the requirements of the GDPR.

              But what exactly is the GDPR? The General Data Protection Regulation (GDPR) is a set of requirements set forth by the EU Parliament in order to ensure consistent privacy laws protecting to the personal data of EU residents. In this case, personal data is defined on the GDPR homepage as “any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer IP address.” The primary purpose of the GDPR is to protect EU citizens from privacy and data breaches, which have become increasingly frequent with the advancement of criminal cyber-security, malware, and hacking activity.

              The regulation lays out a long list of requirements for compliance. However the articles having the most impact involve the hiring of high level data management professionals, cross border data transfers, vendor management and the manipulation of data to become neither anonymous, nor identifiable, which is called pseudonymization.

              According to the data collected by RainKing Research, participants affected by the GDPR include organizations headquartered in the EU (24%), organizations with locations in the EU (26%), and organizations doing business with companies in the EU (29%). Confirming that organizations in the EU are certainly not the only ones being affected by the regulation.

              RainKing Research asked participants which key areas still require investment for their organizations to become compliant in 2018. Below are the areas that still need to be addressed, along with the percentage of organizations who must invest in these initiatives:

  • Processes for pseudonymization of personal data (29%)
  • Processes for testing, assessing, and evaluating data security (36%)
  • Creating positions for Controllers and Processors of data (19%)

               In addition, one of the key requirements laid out in the regulation is the hiring of a Data Protection Officer. The research gathered by RainKing indicated that 21% of organizations still need to hire a Data Protection Officer before the deadline in 2018. The Data Protection Officer is responsible for overseeing all matters related to data protection strategy, and the implementation of processes to ensure compliance is met.

              Perhaps the changes with the greatest impact introduced by the GDPR are restrictions related to the transfer of data to countries outside the EU. The GDPR requires that any country receiving data from the EU have adequate data security measures in place. RainKing Research wanted to know how many organizations’ day to day processes would be affected by this, and found that 32% would have to change their data transfer processes because of this regulation. We also found that 22% will be evaluating third party vendors, and 6% have already selected a vendor.

              RainKing Research plans to continue interviewing security and compliance decision makers from both the UK and the US to gain deeper insight on the impact of GDPR, as well as expert opinions on the strengths and weaknesses of this regulation. One thing is certain, from our initial analysis we can see that significant investments will still need to be made by many organizations before the deadline in 2018.

               

               

 Data and analysis by RainKing Analytics