Businesses are not seeing the requirements of GDPR as serious, and continue to be confused by what is required.
According to the survey of 1,350 business decision makers, the Risk:Value report from NTT Security found that 39% of European respondents identified GDPR as a business risk, while 33% identified ISO 27001/2 as a compliance regulation to be subject to, and 23% identified PCI DSS.
According to the report, ‘many global companies are still unaware of how they will be affected by GDPR, and certainly don‘t understand the implications of the new rules‘.
Rory Duncan, head of security business unit for UK&I at Dimension Data said that this is being seen as something for the IT department to deal with, when it is in fact an issue for the entire business to deal with and about how it processes data.
“It is about how do we process that data within the organization and how do we respond to the other requirements that are not IT security requirements that GDPR requires, and there is a lot of talk about people focusing on the fines but in a way the fine will be incidental compared to the reputational loss,” he said.
“If you get breached, and the likelihood is you have been breached, you will have to declare that you lost that data and what happens next is how you declare that and that is the challenge to your organization. What will happen next is the ICO will come in and look at your processes and whether you were able to define what happened.”
Kai Grunwitz, Senior Vice President EMEA of NTT Security said that a lot of people struggle with knowing what to do with GDPR, and businesses have to consider dealing with ‘right to be forgotten’ and 72 hour breach notification, and it is a “handle turning process” of knowing what to do.
Asked by Infosecurity if businesses understand the challenge of GDPR, Simon Williams, CEO of NTT Data said that there is a massive lack of understanding at the C-level. “I was sitting with the COO of a UK insurance company recently and he said ‘I’ve been doing some internet research on what is GDPR and what I need to do in my organization, is that something you can help us with’ and there was a stunned silence in the room as we said yes, but we too them on the journey to help them understand the potential impact to the organization. So there are a lot of people leaving it very late.”
Grunwitz said in the most successful projects he had seen where there was a dedicated team fully assigned working on GDPR as there has been a perceived business risk and some had put in an investment of ‘significant millions of dollars’ to do that, instead of being exposed to a fine.
In another statistic from the report, respondents were asked “if your information was stolen in a security breach, how would your organization be affected” to which 55% said that loss of confidence was the main concern, followed by damage to brand/reputation (51%) and direct financial loss (43%).