The impending mandates stipulated by the European Union's General Data Protection Regulation (GDPR) have many security and compliance officers at global organizations losing sleep, and for good reason. According to new data out last week, at the most basic levels many organizations are unprepared to even say where their most sensitive geographically resides, let alone ready for the heightened data protection requirements themselves.
A study conducted by McAfee among 800 senior business decision-makers found that only 47% of them are completely confident they know where all of their sensitive corporate data is physically stored all of the time. That's going to be a big deal in a little over seven months when GDPR officially comes into play.
One of the most stringent data privacy and protection regulations ever put in place for consumer data, GDPR ups the ante for how data physically residing in Europe and even simply pertaining to individuals in the EU is handled. That includes collection, retention, and processing. It steepens fines for breaches, cuts down breach notification windows to just a few days after discovery, and aims to put the screws to both European and global organizations to increase transparency around data protection policies.
While many organizations have been prepping in some way or another for two years on average, many are still unprepared. In fact, the McAfee survey showed that just 44% of organizations claim a complete understanding of what GDPR means to them and only 26% of organizations believe that they can meet the regulation's 72-hour breach report deadline.
These findings are hardly out of left field. This year has seen numerous surveys continue to confirm the fact that organizations are still taking the regulations lightly. In fact, last month a survey from UK law firm Blake Morgan showed that nine out of ten organizations have not made important changes to their privacy policies to keep in line with GDPR, and nearly four in 10 hadn't taken any steps to prepare for the regulation.
"With the clock counting down to the law coming into force, we would recommend a focused effort by businesses to get to grips with the changes and implement a strategic plan of action," says Simon Stokes, a partner specializing in data protection law at Blake Morgan, who says that GDPR should be seen as an exercise good corporate housekeeping. "Not only will it avoid running the risk of financially and reputationally damaging fines or sanctions – ultimately it will assure the public’s trust in your organization at a time when data privacy and security are more important than ever before."
The good news is that many business leaders surveyed by McAfee recognize that the kinds of data protection mechanisms spurred on by regulations like GDPR would serve as a competitive differentiator. Nearly three in four reported think that organizations are using data protection as a way of attracting new customers, and 67% think that the GDPR could help promote investment in Europe.
As things stand, the US still remains the top preferred country for data storage due to regulatory requirements, named by a plurality of 48%. Second most named was Germany, which was named by 35% of firms.
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.