The organisations most reliant on collecting, analysing, and using personal data are some of the least well-equipped to deal with incoming data protection regulation legislation -- just months before it's due to come into force.
Those who are found not to be compliant with the General Data Protection Regulation (GDPR) -- a new set of rules from the European Union which aims to simplify data protection laws and provide citizens across all member states with more control over their personal data -- could face fines if found to misuse, exploit, lose, or otherwise mishandle personal data.
Once GDPR comes into force from 25 May 2018, the financial penalties for failing to comply, especially if the organisation is hacked and found to be negligent, could potentially reach four percent of company turnover.
However, a report by analysts Forrester suggests that many organisations may not be GDPR compliant by 25 May: just a quarter of organisations across Europe are thought to be GDPR compliant already, while another 22 percent expect to be GDPR compliant in the next 12 months.
But, despite GDPR becoming law in just under four months, Forrester found that 11 percent of organisations are still considering what to do about it, while eight percent of organisations aren't familiar with GDPR at all.
Forrester's research found that it's organisations in media and retail -- sectors which handle some of the largest amounts of customers' personal data -- are currently the least prepared for GDPR, with just 27 reported to be fully GDPR-compliant.
These firms are typically based around data-driven activities related to direct marketing, personalisation, and customer profiling, but many have only recently started to take GDPR seriously. Indeed, some firms in media and retail have only begun making moves towards GDPR compliance "under the pressure of their own customers", says The State of GDPR Readiness report.
Among the industry-specific issues retailers will need to be prepared for are ensuring compliance with rules regarding consent and data subject rights, including the right to be forgotten.
That's in addition to ensuring that all data is protected from internal or external misuse, and that in the event of a data breach, all customers and the authorities are informed about the data that's potentially at risk within 72 hours following the discovery of the breach.
The reason why media and retail lag behind others when it comes to preparing for GDPR is because "firms in these verticals haven't traditionally been subjected to high regulatory pressures", Enza Iannopollo, analyst on security and risk at Forrester and author of the report told ZDNet.
"In addition, these organisations do not have a well-defined approach to risk management, which also contribute to delay the execution of their GDPR compliance strategies," she added.
While media and retail lag behind on GDPR compliance, it is finance which leads the way in being prepared for the new legislation: the banking sector is highly aware of the damage which could be done if data was exposed or otherwise mishandled - and that not being GDPR compliant could result in additional regulations for financial firms, something which many in the industry may view as unwanted.
The Forrester report also details how there are still large numbers of organisations around the world who mistakenly that GDPR doesn't apply to them. But if an organisation does business or has customers in a European Union country -- especially if data about customers is collected -- they need to comply with GDPR.