Enterprises still unprepared for new EU data regulation

Add bookmark

Esther Shein

With only a couple of weeks remaining until the May 25th deadline for the European Union’s General Data Privacy Regulation (GDPR), countless reports have come out issuing dire warnings about failure to comply with the new law. All the reports have one constant theme: many companies still aren’t prepared...

Is your organization?

The legislation is designed to give residents of the European Union more control and privacy over their personal data and it spells out requirements for how data is collected, stored and used. Companies in the U.S. that process personal data of European residents – including names, ethnicity and email addresses -- and don’t comply, face fines as high as four per cent of their annual revenue or 20 million euros, whichever is greater.

One of the more recent reports, from Crowd Research Partners, claims that 60 per cent of respondent organizations are at risk of missing the GDPR deadline, and only seven per cent said they are in full compliance with the requirements.

The report also found that while 80 per cent of respondents say GDPR is a top priority for their organization, only half are knowledgeable about the data privacy legislation or have deep expertise. Also alarming is that one-quarter of respondents said they have no or only very limited knowledge of the law.

The primary compliance challenges are lack of expert staff (43 per cent), closely followed by lack of budget (40 per cent), and a limited understanding of GDPR regulations (31 per cent), according to the Crown Research report. Fifty-six percent said they expect their organization’s data governance budget to increase to deal with GDPR challenges.

Michael Osterman, president of Osterman Research, agrees that the cost of data protection plays a big role in the procrastination factor, but added that “complying with GDPR is a fairly daunting task.” That’s because organizations have to know where all their data is, classify it properly and be able to access it when requested.

Companies in the U.S. that process personal data of European residents and don’t comply, face fines as high as four per cent of their annual revenue or up to 20 million euros.

“If you look at what GDPR requires, it’s really a best practice for information or data governance …. that organizations should be following, but most have not,’’ he observed. “They have a lot of data that is out of their control, whether in the cloud or on mobile apps and so forth, and they don’t have good way of getting at data in silos.”

Another part of the problem Osterman believes, is that like a lot of other regulations, organizations don’t take them seriously at first. He pointed out that HIPAA (Health Insurance Portability and Accountability Act) was enacted in 1996, but it wasn’t until HITECH (Health Information Technology for Economic and Clinical Health) was passed in 2009 that “it started to put some teeth in the legislation. And I think the same thing is true of the GDPR.”

Although Osterman’s most recent study put GDPR compliance at 41 per cent in December 2017, he estimates the figure is probably more like 50-55 per cent now.

“You’re hearing a lot about this at conferences and pretty much wherever you go,’’ he explained. “Part of the problem is organizations in general, tend to be reactive and wait until something bad happens before they take action. They’re going to wait and see what happens…once the deadline has come and gone and how serious the EU is going to be about this.”

Osterman thinks the EU will be looking for some “targets early on to make sure everyone is serious about this” by putting large companies like Amazon under scrutiny. “Someone suggested at a recent conference that the EU is upset with American companies like Amazon for not paying taxes in the EU, so they’re looking to find them, so they can get their tax money through fines.”

He said he doesn’t know whether the EU will grant extensions if companies demonstrate they are working toward becoming compliant but may miss the May 25th deadline.

At this stage, what he most wants people to know is that they should take GDPR compliance very seriously if they hold data on European residents. And while compliance is mandatory, it will also bring spillover benefits in customer engagement, competitive positioning, eDiscovery and more general regulatory compliance, he added.

“GDPR is a pain, but it’s a pain that’s going to pay off,’’ said Osterman.

“If you do this, it sets a very high bar and it’s going to pay off for everything else you’re going to do.”

It’s also important to note that compliance is not just about protecting traditional IT systems behind a corporate firewall. Today, work and personal lives are blended, and a significant number of employees regularly access data from their personal devices, which could leave their companies vulnerable to GDPR noncompliance. It is critical that IT security officials understand how data on employee devices could be maliciously accessed or accidentally leaked. Use of mobile device management tools is one measure companies can take to remotely wipe or kill a compromised or lost device in order to prevent a data breach, according to Osterman’s 2018 report What You Should Know About the GDPR.

“Such tools also provide a real-time dashboard on the data protection health of the device fleet, and enforce local settings, such as encryption and the use of endpoint security software,’’ he wrote.