Blue Flower

GDPR awareness - Trendmacro stuy

GDPR awareness: 1 in 5 businesses claim a fine wouldn’t bother them

Through a recent survey, Trend Micro found that C-suite executives are not approaching the regulation with the seriousness required, resulting in overconfidence when it comes to compliance.

The company’s research reveals a robust awareness of the principles behind GDPR, with a strong 95 percent of business leaders knowing they need to comply with the regulation, and 85 percent having reviewed its requirements. In addition, 79 percent of businesses are confident that their data is as secure as it can possibly be.

Despite this perceived awareness, there is some confusion as to exactly what Personally Identifiable Information (PII) needs to be protected. Of those surveyed, 64 percent were unaware that a customer’s date of birth constitutes as PII. Additionally, 42 percent wouldn’t classify email marketing databases as PII, 32 percent don’t consider physical addresses and 21 percent don’t see a customer’s email address as PII, either.

These results indicate that businesses are not as prepared or secure as they believe themselves to be. Regardless, this data provides hackers with all they need to commit identity theft, and any business not properly protecting this information is at risk of a penalty fine.

 

The cost of not being compliant

According to the survey, a staggering 66 percent of respondents appear to be dismissive of the amount they could be fined without the required security protections in place. Only 33 percent recognize that up to four percent of their annual turnover could be sacrificed.

Additionally, 66 percent of businesses believe reputation and brand equity damage is the biggest pitfall in the event of a breach, with 46 percent of respondents claiming this would have the largest affect amongst existing customers. These attitudes are especially alarming considering businesses could be shut down in the event of a breach.

“Investing in state of the art equipment and employing data protection policies should be seen as a wise business practice, not an operational burden,” said Rik Ferguson, vice president of security research for Trend Micro. “As a strategic security partner, we see it as our shared responsibility to help customers meet GDPR data security compliance.”

 

Responsible parties

Trend Micro also learned that businesses are uncertain as to who is held accountable for the loss of EU data by a U.S. service provider. Only 14 percent could correctly identify that the loss of data is the responsibility of both parties – 51 percent believing the fine goes to the EU data owner, while 24 percent think the US service provider is at fault.

In addition, it turns out businesses aren’t sure who should take ownership of ensuring compliance with the regulation, either. Of those surveyed, 31 percent believe the CEO is responsible for leading GDPR compliance, whereas 27 percent think the CISO and their security team should take the lead. However, only 21 percent of those businesses actually have a senior executive involved in the GDPR process.

Meanwhile, 65 percent have the IT department taking the lead, while only 22 percent have a board level or management member involved.

The technology required

With threats growing in sophistication, businesses often lack the expertise to combat them, and layered data protection technology is required. GDPR mandates that businesses must implement state-of-the-art technologies relative to the risks faced. Despite this, only 34 percent of businesses have implemented advanced capabilities to identify intruders, 33 percent have invested in data leak prevention technology and 31 percent have employed encryption technologies.

 

only 6 percent of UK businesses view GDPR as a number one priority, yet 30 percent of businesses in France and 25 percent of Benelux businesses have made it a priority. 20 percent of UK businesses that consider GDPR to be a low priority, a much higher number than in France at 8 percent and Benelux at 11 percent.

 

Is Europe ready for GDPR?

Almost one in five businesses claimed to be already compliant in France (19 percent) and Benelux (18 percent), however the UK has only 8 percent of businesses currently identifying as GDPR compliant.

“Getting ready for GDPR is a long process. If regulators demonstrate that they are prepared to impose the maximum fines in May 2018, then businesses will seriously regret not being prepared,” said John Shaw, vice president of product management for the Enduser group at Sophos. “With less than a year to go, 55 percent of businesses are not confident that they will be able to comply by the deadline and are understandably distracted by for the need to demonstrate GDPR compliance. However, with data breaches occurring on an almost daily basis across Europe, I would argue that the top priority should actually be to reduce the risk of the data breaches. Reducing that risk doesn’t need to be complicated – concentrate on stopping the biggest causes of data breaches by making sure the basics are in place: keep all operating systems and software up to date, implement encryption for sensitive data, and educate all employees about the risk of phishing and other social engineering attacks.”

Businesses in Western Europe are slowly getting ready for GDPR, with 42 percent believing they will be ready; however, there is still a lot of ground to cover:

  • Only 42 percent have created a Data Protection Officer role, a much smaller number than expected
  • Currently only half of organisations have measures in place to ensure the individual whose data is being collected gives consent for data collection
  • 44 percent have procedures in place to delete personal data in the event of a “right to be forgotten” request or if an individual objects to the processing of their data
  • Less than half (45 percent) are able to report a data breach within 72 hours of its discovery.

Who is in charge?

In 70 percent of businesses, it’s the IT or IT security team that is taking responsibility for complying with GDPR. The research highlighted that only 4 percent of legal teams and 13 percent of board members or senior management are responsible for implementation.

Many IT decision makers called out a lack of awareness from key decision makers as a reason for not having certain protocols in place, such as being able to report a data breach within 72 hours of its discovery – a vital aspect of GDPR compliance.

The good news is 65 percent of organisations have a data security policy in place. 98 percent of organisations either have or are currently implementing a formal plan for employees that outlines what the data security policy is and what is expected of employees when they handle personal data. This shows that organisations are making headway in promoting data security in the workplace and encouraging employees to take the matter seriously.

Confusion over Brexit and GDPR

Despite Brexit, Britain will still need to be fully compliant with GDPR. However, the research has highlighted that many UK businesses think that Brexit may mean they no longer need to comply, with 26 percent of UK organisations admitting that since Brexit they are less clear on what needs to be done to comply or think they won’t have to comply. This has the potential to cause many companies to miss the deadline and face hefty fines.

The Brexit effect doesn’t stop in the UK. 66 percent of businesses in France and Benelux admit to being very or slightly concerned about data security now that the UK has begun the process to leave the European Union. It is clear that Brexit is causing uncertainty and confusion on both sides of the channel.

 

 

A new survey conducted by Vanson Bourne asked IT leaders in the U.S., UK, Germany and France about their current data policies to see how well aligned they are with the EU General Data Protection Regulation (GDPR), which comes into force on May 25, 2018.

meet GDPR standards

The survey of 500 IT decision makers did not name GDPR in its questions, but asked about areas of policy that would be impacted by the regulation. It found 54% could not say all personally identifiable information was protected through anonymization and encryption in all digital locations. This alone could mean companies do not meet the “appropriate level of security” requirement specified in Article 32 of the regulation.

Data breaches

In terms of protecting EU citizens from data breaches, the survey found companies do not currently have the processes or technology in place to adequately meet GDPR requirements around data breaches:

  • Only 52% of all of the companies surveyed are completely confident that they can report data breaches within 72 hours of discovery to the authorities. Yet, only 55% are “completely confident” they have systems that could identify a breach from an external source, suggesting that a customer’s personal identifiable information could be traded unbeknown to the company or citizen, placing both at greater risk of fraud.
  • Companies also admitted they cannot easily identify the data obtained in a breach. Less than half (46%) are completely confident that they could precisely identify the data that had been exposed in a breach.

Working with personal data

GDPR regulations also state that “appropriate technical and organizational measures” should be in place to safeguard personal data and minimize data collection, processing and storage. Asked about key areas of data processing, several weaknesses were identified that could leave companies at risk, if not addressed:

  • Only 41% of companies could say that data is automatically geo-fenced “every time” on servers, so it cannot be moved outside of the legal jurisdiction in which it resides.
  • Just 48% of all business partners’ storage locations’ security standards are audited by companies.
  • 54% of companies check on every occasion whether a customer has given permission for records to move between data processors, such as suppliers and business partners, before moving data.
  • Just over a third (37%) of companies claim to have processes that allow them to remove data without delay from live systems and backups. Articles 16 and 17 of the EU GDPR specify the companies must be able to respond to citizen demands for the rectification or erasure or data in one month. 15% are currently building the systems that will give them this functionality.

“The findings show that companies have some way to go over the next 12 months if they are to ensure compliance, and must focus on some security fundamentals such as implementing encryption and data lifecycle protection technology. Compliance is not just a matter of avoiding fines; consumers care deeply about the abuse and loss of their data. The reputational damage from non-compliance can far outweigh the €20 million or 4% of global revenue fine that a company could receive. There is still time to get the technology and processes and place, but complacency is not an option,” said Mark Hickman, COO at WinMagic.