As we head into the final 18 month stretch before the European General Data Protection Regulation (GDPR) comes into force, two new studies have revealed a worrying lack of preparedness on the part of organizations.
Information management firm Veritas interviewed 2500 senior IT decision makers in APAC, the US and EMEA recently only to find 54% had not advanced their readiness plans.
The study also found widespread confusion over who was responsible for compliance efforts, with a third (32%) claiming it was the job of the CIO, but sizeable numbers claiming the same for the CISO (21%), CEO (14%) and chief data officer (10%).
Unsurprisingly, 40% were worried about a major compliance failing in their organization.
Among the biggest concerns were fragmentation and loss of visibility (35%), data loss (52%) and employee mishandling of data (40%).
“GDPR is the most significant change to data protection in a generation and an imminent global issue that will dominate data privacy, management and regulation discussions in 2017,” said Mike Palmer, executive vice-president at Veritas. “To avoid potential regulatory fines or worse, damage to their corporate brands and reputations, global enterprises must take action now to understand where their data resides and how to protect it.”
The threat of fines is very real given the continued level of data breaches.
Another report out this week, this time from Blancco Technology Group, claimed 28% of global organizations had been hit by a data breach in the past 12 months.
It claimed 16% of firms still take between one and six months to detect a security threat and 5% only find out when notified by third parties, as was the case with Yahoo.
One of the main pillars of the GDPR is notification of a breach within 72 hours, but according to the report, 13% of firms currently take between one month and one year to do so.
With pending fines of €20 million or up to 4% of global annual turnover for serious infractions, organizations can’t afford to stand still on this.
The Payment Card Industry Security Standards Council, for example, claimed in October that UK firms could face up to £122 billion in regulatory fines when the new law comes into effect in 2018.