To mark the formal ratification of the EU’s General Data Protection Regulation (GDPR) by the European Council in early 2016, Blancco Technology Group has issued its new data privacy study entitled EU GDPR: A Corporate Dilemma. Based on a survey of over 500 global IT professionals across more than 20 types of businesses, this research indicates that organisations lack defined processes, documentation and technology to adequately address the ‘right to be forgotten’ and require “major overhauls” of their data collection and removal programs in order to ensure full GDPR compliance going forward.
Although 46% of global IT professionals state that they’ve received customer requests to remove data in the last 12 months, 41% said they don’t have defined processes, documentation and technology/tools in place for data removal.
Aligning IT governance and data protection programs
“Due to the fact that the EU’s GDPR negotiations stretched on for the last four years,” said Pat Clawson, CEO of Blancco Technology Group, “many organisations held out some hope that an agreement would be postponed or, if things went the way they hoped, the negotiating parties would never come to agreement. Now that the GDPR is a reality and the new privacy rules will very soon be ratified by the European Council, many companies have a considerable amount of work ahead of them to align their IT governance and data protection programs with both regulatory and customer demands.”
Key corporate security trends that surface in the Blancco Technology Group study include the following:
*While awareness of the GDPR is high among global IT professionals (at 48%), their level of preparation is much lower. 40% of those questioned admit to being less than fully prepared, with 16% still needing to find the right data removal software, 9% uncertain of how and/or where to start and 15% not even knowing if they’re prepared
*Lack of documentation, processes and tools increases the likelihood of GDPR violations. 60% of the surveyed IT professionals stated that it would take their organisation up to 12 months to implement the necessary IT processes and tools to pass a ‘right to be forgotten’ audit, while 25% don’t know how long it would take
*At 48%, data erasure software tops the list of the most valuable type of technology needed to ensure GDPR compliance, followed by encryption key removal tools (26%) and malware removal tools (10%)
*IT professionals both inside and outside of Europe (65%) are keen to implement data protection laws similar to the framework outlined within the EU’s GDPR
End-to-end data lifecycle management processes
Clawson went on to state: “If organisations want to be ready for GDPR compliance by 2018, they will have to assess their current weaknesses. Once they’ve done so, they’ll then need to develop end-to-end data lifecycle management processes, create transparent procedures and customer communications regarding their data removal methods/tools and, finally, improve their security posturing as a whole to include detection and response and the gathering and sharing of threat intelligence.”
Due to the stringent requirements and penalties imposed by the new law, companies are advised to follow a 12-point Action Plan such that they can fully prepare themselves for GDPR compliance by 2018.
The Blancco Technology Group study involved input from 511 corporate IT professionals in the United States, Canada, Mexico, the UK, Germany, Singapore, Malaysia and Australia to understand their level of awareness, preparation and capacity to comply with the ‘right to be forgotten’ and the GDPR.
The survey was conducted last autumn and targeted IT professionals across a variety of businesses (with up to 10,000 employees). The gathered results represent 20 different business categories.