Clock is ticking - businesses still not ready for GDPRThursday, December 7, 2017
Enterprises sleepwalking into data protection issues in mid-2018, according to survey
With just six months until the EU General Data Protection Regulation (GDPR) comes into force across Europe, concerns are rising that enterprise in general is not responding adequately. A new survey has highlighted this, with more than half (57 per cent) of professionals concerned about compliance with the standard.
An even higher figure or 60 per cent of respondents in the EU and 50 per cent of respondents in the US say they face some serious challenges in being GDPR compliant. GDPR comes into force on May 25, 2018, and promises huge fines for non-compliance, as well as introduces a range of more powerful protections for personal data held or processed by companies.
The survey from Varonis polled 500 cybersecurity professionals in the UK, Germany, France and US, and also found that 38 per cent of respondents thought their organisations were unconcerned about the looming deadline, with many not viewing compliance by May as a priority, while one in four US professionals believed their firms did not need to comply with GDPR at all. Interestingly, 51 per cent of UK respondents believe that their organisation is more than 50 per cent complete in their compliance process. In the UK also, the biggest challenge is seen to be implementing data protection by design, according to 58 per cent of security professionals.
That said, the vast majority of companies (74 per cent) believe that adhering to the GDPR will give them a competitive advantage over other organisations in their vertical.
Ilia Kolochenko, CEO, High-Tech Bridge said that the legislation was welcome, but that some details still need to be ironed out around data breach notification: “The majority of the states in the US have already adopted similar laws, GDPR in the European Union and UK (despite Brexit) also implies strict data breach disclosure and notification guidelines.
“The obligation to report a data breach is definitely useful to protect customers, however its enforcement and control are not obvious. Professional cybercriminals do their best to remain unseen, at least for a certain period of time, recent Yahoo breaches - are good examples. Therefore, can we hold a company responsible for a breach that it is not aware of, despite best possible and reasonable efforts taken? The government should also allocate additional resources to investigate and prosecute cybercrime in a proportional manner. Otherwise, it seems unfair to put the entire responsibility on companies and organisations.”
High-Tech Bridge recently updated the ImmuniWeb Application Security Testing Platform to help businesses worldwide to discover, log and continuously monitor GDPR compliance levels in enterprise web applications. This specifically helps compliance with GDPR 32.1.d requirements, as well as PCI DSS 6.6/11.3 requirements.
Useful reading: the UK’s ICO has recently created a specific ‘Guide to the GDPR’ section of the ICO site to help organisations comply with the new rules - the watchdog will also regularly update the guide to boot.