Recently reading a study by Veritas Technologies I found the data released to be interesting stating that companies around the world mistakenly believe that they are complying with the new data regulation General Data Protection Regulation (GDPR).
Yesterday coincidentally the digital magazine Security Report compiled the report data, which I describe here:
According to the report The Veritas 2017 GDPR Report, almost a third (31%) of respondents said their company already complies with the key requirements of the new legislation. However, when asked about GDPR specific requirements, the answers given by most of these respondents indicated that companies are not in compliance. In fact, further investigation has shown that only two per cent of these companies appear to be in compliance with the new legislation.thus revealing a clear lack of understanding of the level of preparedness for GDPR.
According to the report's findings, nearly half (48%) of companies that claimed to be in compliance are not yet fully visible regarding incidents of personal data loss. In addition, 61% from these companies admitted it was difficult to identify and report personal data breaches within 72 hours of the incident being discovered - one of the mandatory GDPR requirements regarding risks to data subjects. Failure to report loss or theft of personal data - such as medical records, email addresses and passwords - to the regulatory agency within the time frame mentioned above constitutes a violation of this important requirement.
Accordingly, the report suggests that companies that believe they are GDPR-compliant should review their compliance strategies. Failure to comply with GDPR standards could result in a fine of up to 4% of the company's overall annual gross revenues or € 20 million (the higher amount will apply).
The threat of former employees
Restricting former employees' access to corporate data and deleting their system credentials helps combat malicious activity and thus prevent financial loss and reputational damage. However, 50 % companies that claim to be compliant stated that former employees can still access internal data. These findings show that even the most confident companies find it difficult to control the access of former employees and thus become more susceptible to attacks.
Challenges to applying “the right to forgetfulness”
According to GDPR, EU residents will have the right to request the removal of their personal data from a company database. However, Veritas research found that many companies that have admitted to comply with the law are unable to search, find or delete personal data in response to “right to forget” requests.
One-fifth (18 %) of companies that believe they are prepared for GDPR admitted that personal data cannot be deleted or modified. Another 13 % said they did not have the necessary conditions to search and analyze personal data to identify explicit and implicit references about a particular individual. In addition, they stated that they were unable to accurately visualize the storage location of their data because their data sources and repositories are not clearly defined.
These shortcomings make any company incompatible with GDPR, as companies must ensure that personal data is used only for the purposes for which it was collected, and that it is reported when it is no longer needed.
Demystifying GDPR's Responsibility
The Veritas study also found a common misunderstanding among companies regarding the liability of data stored in cloud environments. Nearly half (49 %) of companies that believe they are GDPR compliant are of the opinion that the cloud service provider is fully responsible for cloud data compliance. However, it is up to the data controller (the company) to ensure that the data processor (the cloud service provider) offers the necessary guarantees regarding GDPR. This false sense of protection could have serious repercussions when GDPR goes into effect.
“GDPR mandates that multinational companies take data management seriously. However, the most recent findings have shown confusion about the requirements needed to comply with the mandatory standards of the legislation. As GDPR's deployment date approaches, these misunderstandings need to be resolved as soon as possible, ”said Mike Palmer, Executive Vice President and Product Director, Veritas.
“Regulations like GDPR require companies to know exactly what data they store, how to take the necessary action on that data, and how to classify it in order to properly enforce this policy. These are the basic precepts of compliance and the findings released today should be used to guide companies on these misunderstandings that could lead to the end of their operations. ”
GDPR aims to improve data privacy and protection mandates in European Union (EU) member countries. Legislation requires companies to adopt appropriate protection measures and processes for the management of personal data. The GDPR will take effect on 25 May 2018 and will apply to any type of company - both inside and outside the EU - offering products or services to EU residents or monitoring their behavior.
Download the full report by this link.