Business ‘unready’ for new privacy law
The General Data Protection Regulation (GDPR) will be enforced in just over nine months but businesses are not doing enough to prepare for it, according to a study conducted by Japanese cybersecurity firm Trend Micro Inc.
The GDPR becomes effective on May 25, 2018. It is a new EU privacy law that will change how businesses and public sector organisations can handle the information of customers, and will have a great impact on companies worldwide.
Trend Micro’s survey was conducted in partnership with Opinium (a UK-based opinion research consultancy) from May 22 to June 28. It comprised 1,132 online interviews with senior or middle managers/ executives from large companies (over 500 employees) across 11 countries and more than six industries.
Companies are overconfident when it comes to compliance with the regulation, Trend Micro said. For example, the study finds that while 95% of business leaders surveyed are aware of the need to comply with the regulation, only 85% have reviewed its requirements.
A substantial percentage of executives may intend to ignore the regulation altogether. More than one in five businesses said “a fine wouldn’t bother them if found in violation”. The figure is not surprising as senior executives in 57% of businesses surveyed are avoiding actions that would put them in compliance with the regulation.
Businesses are deeply divided as to who should take the lead in ensuring compliance. A third said the chief executive should be responsible, and 27% said the chief information security officer should be at the forefront.
Only one in five businesses, however, has a senior executive involved in the compliance process. In reality, IT departments are taking the lead in ensuring compliance in a majority of businesses.
The bulk of non-compliance, however, may be driven by a lack of knowledge as to what personally identifiable information (PII) needs to be protected. More than three in four respondents said their data is as secure as it should be, yet, 64% were unaware that a customer’s date of birth is PII. Close to one in two said they did not consider email marketing databases as PII; 32% say physical addresses and 21% say email addresses are not PII.
Confusion is not limited to the types of data covered, however. A substantial proportion of businesses (over 80%) were uncertain about the regulation’s liability repercussions. Only 14% correctly understood that both the service provider and the data owner (in cases where they are distinct) are responsible in the event of data loss. Half believed the fine would accrue only to the data owner, and a quarter said the service provider is at fault.
All of the data categories mentioned above, however, provide hackers with enough information to steal a customer’s identity, and are hence protected under the GDPR.
Going the extra mile to comply with the GDPR may not make financial sense, according to some executives. Trend Micro’s survey indicates that 66% of respondents “were dismissive of the amount they could be fined” for failing to comply. The rest of the businesses recognised the potential fine as a financial challenge that could constitute up to 4% of their revenue.
Even managers who are unconcerned about financial penalties may be troubled by the broader implications of non-compliance though. Two in three businesses said “reputation and brand equity” would suffer the most in the event of a breach. Almost 50% of respondents said their existing customers would be the most affected.
The GDPR has a high bar for compliance, and businesses are lagging, the survey found. The regulation mandates that companies must implement “state-of-the-art technologies” appropriate to the risks faced. Only 34% of firms have put in place advanced capabilities to identify intruders, only 33% have data leakage prevention technology, and only 31% have encryption technology.