Trend Micro has called on regulatory bodies to provide greater clarity on a key part of the EU GDPR, after a new survey highlighted confusion among global organizations on what constitutes “state of the art” security.
The vendor polled 1,000 IT leaders from businesses across the globe and found a wide variety of interpretations of the phrase, which describes the kind of security that firms should be investing in to keep customer data safe.
Some 30% claimed it meant buying from an established market leader; 17% said it meant products that pass independent third-party tests; 16% said it referred to security that meets with analyst approval; and 14% that it covers innovative start-up tech.
More worrying still, 12% claimed they’re more concerned about the cost of products than whether they meet GDPR requirements, while 9% admitted they had no idea what “state of the art” means.
“There are many hurdles for businesses to overcome in establishing GDPR compliance – trying to demystify what ‘state of the art’ means is but another challenge on the list,” said Bharat Mistry, principal security strategist for Trend Micro.
“Regulatory enforcement bodies should offer further clarification on what ‘State of the Art’ means, so businesses can ensure they’re not stepping into a fine once May 2018 arrives.”
This confusion may account for the wide range of products IT security teams are currently investing in. Most common was network-layer security to spot intruders (34%), while DLP (33%) and encryption (31%) were also common.
The research also revealed that many organizations aren’t able to meet a key requirement of the new law: 72-hour breach notifications.
Only 63% said they have a notification process in place for their customers, while 21% said they’re able to notify regulators but not customers.
The report also uncovered a lack of preparedness in supporting the key “right to be forgotten” strand of the GDPR. While 77% have a process in place for data they collect, only 64% can process requests for data their partners collect, and fewer still for data held by CSPs (63%) and third-party agencies (60%).