The deadline for complying with the General Data Protection Regulation (GDPR) is rapidly approaching, and many companies still aren't prepared, according to a newly released study by security research firm Crowd Research Partners.
GDPR, a set of rules developed by the European Parliament, European Council, and European Commission to ensure data protection for individuals within the European Union (EU), officially takes effect on May 25, 2018. Any company that handles data for individuals within the coverage area is affected, and the penalties for non-compliance can be up to 4 percent of the violating company's global annual revenue.
The Crowd Research report, based on the results of an online survey of more than 531 IT, cyber security, and compliance professionals, shows that 60 percent of surveyed organizations are likely to miss the compliance deadline.
Just 40 percent of those surveyed said they're either GDPR-compliant or well on their way to compliance in time for the deadline, and only 7 percent said they're in full compliance with GDPR requirements.
Many of the organizations (80 percent) concede that GDPR compliance is a top priority, yet only half said they are knowledgeable about the data privacy legislation or have deep expertise with regard to the regulation. What's even more alarming is that given the amount of publicity surrounding GDPR, one quarter of the organizations said they have no knowledge or only limited knowledge of the law.
"What is striking in this study is the lack of staff with GDPR expertise and an overall underestimation of the effort required to meet GDPR, which represents the most sweeping change in data privacy regulation in decades," said Holger Schulze, CEO of Cybersecurity Insiders and founder of the Information Security Community on LinkedIn, which commissioned the study.
The main compliance challenges facing organizations are a lack of expert staff (cited by 43 percent), lack of budget (40 percent), and a limited understanding of GDPR regulations (31 percent). Most of the organizations (56 percent) expect their data governance budget will increase, which will help in addressing the GDPR challenges.
About one third of the organizations said they'll need to make big changes to their data security practices and systems to comply with GDPR, and more than half expect to make only minor changes.
At most organizations, IT and information security teams have the main responsibility for meeting GDPR compliance. A majority of them said making an inventory of user data, and mapping the data to protected GDPR categories, is a priority in their GDPR compliance efforts. This is followed by evaluating, developing, and integrating systems that support GDPR compliance.
Most of the organizations' insider threat programs are not meeting GDPR reporting guidelines, the report said. GDPR's "Right to Explanation" gives EU citizens the right not to be subject to a decision based solely on automated processing. About one third of the organizations said their current automated assessment techniques are "black boxed." That means they're not able to explain how the algorithms made a decision.
Most GDPR-relevant data is stored on premises. But about one third of the organizations store data in the cloud or in hybrid IT environments, which makes control over the data potentially more difficult, the report said.