Risk

10/11/2017
09:00 AM
Connect Directly
Twitter
Twitter
RSS
E-Mail
50%
50%

GDPR Concerns Include 'Where's My Data Stored?'

European data protection regulations are coming like a freight train and many firms are still unprepared.

The impending mandates stipulated by the European Union's General Data Protection Regulation (GDPR) have many security and compliance officers at global organizations losing sleep, and for good reason. According to new data out last week, at the most basic levels many organizations are unprepared to even say where their most sensitive geographically resides, let alone ready for the heightened data protection requirements themselves.

A study conducted by McAfee among 800 senior business decision-makers found that only 47% of them are completely confident they know where all of their sensitive corporate data is physically stored all of the time. That's going to be a big deal in a little over seven months when GDPR officially comes into play.

One of the most stringent data privacy and protection regulations ever put in place for consumer data, GDPR ups the ante for how data physically residing in Europe and even simply pertaining to individuals in the EU is handled. That includes collection, retention, and processing. It steepens fines for breaches, cuts down breach notification windows to just a few days after discovery, and aims to put the screws to both European and global organizations to increase transparency around data protection policies. 

While many organizations have been prepping in some way or another for two years on average, many are still unprepared. In fact, the McAfee survey showed that just 44% of organizations claim a complete understanding of what GDPR means to them and only 26% of organizations believe that they can meet the regulation's 72-hour breach report deadline.

These findings are hardly out of left field. This year has seen numerous surveys continue to confirm the fact that organizations are still taking the regulations lightly. In fact, last month a survey from UK law firm Blake Morgan showed that nine out of ten organizations have not made important changes to their privacy policies to keep in line with GDPR, and nearly four in 10 hadn't taken any steps to prepare for the regulation.

"With the clock counting down to the law coming into force, we would recommend a focused effort by businesses to get to grips with the changes and implement a strategic plan of action," says Simon Stokes, a partner specializing in data protection law at Blake Morgan, who says that GDPR should be seen as an exercise good corporate housekeeping. "Not only will it avoid running the risk of financially and reputationally damaging fines or sanctions – ultimately it will assure the public’s trust in your organization at a time when data privacy and security are more important than ever before." 

The good news is that many business leaders surveyed by McAfee recognize that the kinds of data protection mechanisms spurred on by regulations like GDPR would serve as a competitive differentiator. Nearly three in four reported think that organizations are using data protection as a way of attracting new customers, and 67% think that the GDPR could help promote investment in Europe.

As things stand, the US still remains the top preferred country for data storage due to regulatory requirements, named by a plurality of 48%. Second most named was Germany, which was named by 35% of firms.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: White Privelege Day
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17282
PUBLISHED: 2018-09-20
An issue was discovered in Exiv2 v0.26. The function Exiv2::DataValue::copy in value.cpp has a NULL pointer dereference.
CVE-2018-14592
PUBLISHED: 2018-09-20
The CWJoomla CW Article Attachments PRO extension before 2.0.7 and CW Article Attachments FREE extension before 1.0.6 for Joomla! allow SQL Injection within download.php.
CVE-2018-15832
PUBLISHED: 2018-09-20
upc.exe in Ubisoft Uplay Desktop Client versions 63.0.5699.0 allows remote attackers to execute arbitrary code. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of URI ha...
CVE-2018-16282
PUBLISHED: 2018-09-20
A command injection vulnerability in the web server functionality of Moxa EDR-810 V4.2 build 18041013 allows remote attackers to execute arbitrary OS commands with root privilege via the caname parameter to the /xml/net_WebCADELETEGetValue URI.
CVE-2018-16752
PUBLISHED: 2018-09-20
LINK-NET LW-N605R devices with firmware 12.20.2.1486 allow Remote Code Execution via shell metacharacters in the HOST field of the ping feature at adm/systools.asp. Authentication is needed but the default password of admin for the admin account may be used in some cases.