Executives Are Not Prepared for GDPR Implementation

26.09.2017

The colleagues from Trend Micro found that C-suite executives are not approaching the regulation with the seriousness required, resulting in overconfidence when it comes to the compliance of GDPR.

On the one hand, the research of Trend Micro proves that companies believe in their awareness of the principles behind GDPR. 95% of executives know that they need to comply with the regulation, 85% have reviewed its requirements, 79% think that their data is secure.

On the other hand, Gartner Inc. predicts that by the end of 2018, more than 50% of companies affected by the GDPR will not be in full compliance with its requirements. The research company recommends organizations act now and focus on five high-priority changes to get up to speed with GDPR requirements. The changes include the determination of a company’s role under the GDPR, appointment of a data protection officer (DPO), demonstration of accountability in all processing activities, checking of cross-border data flows and preparation for data subjects exercising their rights.

In order to start preparation, every company has to know what Personally Identifiable Information (PII) needs to be protected.

The survey of Trend Micro shows that the respondents don’t classify the following data as PII: a customer’s date of birth (64%), physical addresses (32%), a customer’s email address (21%) 

The above-mentioned information is enough to commit identity theft. Moreover, a company that doesn’t protect this kind of information will face a penalty fine.

According to the survey, the amount of fine is another big issue. Penalties will reach an upper limit of €20 million or 4% or annual global turnover. Two third of the respondents appear to be dismissive of the amount they could be fined without the required data protection, while one third agree that almost 4% of their annual turnover could be sacrificed.   

Speaking about the consequences of data loss for businesses, 66% think that a company’s reputation and brand can suffer immensely, while 46% believe that this will have the largest affect amongst existing customers.

It has to be mentioned that 65% of companies choose the IT Department to control the compliance of GDPR requirements, while only 27% believe that it is the CISO and security team that should deal with this.

GDPR mandates that companies must implement the most advanced technologies relative to the risks faced. However, the businesses invest to the same extent in intruder identification, data leak prevention and encryption technologies.

The General Data Protection Regulation (GDPR), created by the European Union, has been four years in the making, and was finally approved on April 14, 2016. The regulation goes into effect on May 25, 2018, and business all over the world should be well prepared to function under it.