IT governance deficiencies “impeding organisations from compliance” with EU’s GDPR by 2018

To mark the formal ratification of the EU’s General Data Protection Regulation (GDPR) by the European Council in early 2016, Blancco Technology Group has issued its new data privacy study entitled EU GDPR: A Corporate Dilemma. Based on a survey of over 500 global IT professionals across more than 20 types of businesses, this research indicates that organisations lack defined processes, documentation and technology to adequately address the ‘right to be forgotten’ and require “major overhauls” of their data collection and removal programs in order to ensure full GDPR compliance going forward.

Although 46% of global IT professionals state that they’ve received customer requests to remove data in the last 12 months, 41% said they don’t have defined processes, documentation and technology/tools in place for data removal.

Aligning IT governance and data protection programs

“Due to the fact that the EU’s GDPR negotiations stretched on for the last four years,” said Pat Clawson, CEO of Blancco Technology Group, “many organisations held out some hope that an agreement would be postponed or, if things went the way they hoped, the negotiating parties would never come to agreement. Now that the GDPR is a reality and the new privacy rules will very soon be ratified by the European Council, many companies have a considerable amount of work ahead of them to align their IT governance and data protection programs with both regulatory and customer demands.”

Key corporate security trends that surface in the Blancco Technology Group study include the following:

*While awareness of the GDPR is high among global IT professionals (at 48%), their level of preparation is much lower. 40% of those questioned admit to being less than fully prepared, with 16% still needing to find the right data removal software, 9% uncertain of how and/or where to start and 15% not even knowing if they’re prepared

*Lack of documentation, processes and tools increases the likelihood of GDPR violations. 60% of the surveyed IT professionals stated that it would take their organisation up to 12 months to implement the necessary IT processes and tools to pass a ‘right to be forgotten’ audit, while 25% don’t know how long it would take

*At 48%, data erasure software tops the list of the most valuable type of technology needed to ensure GDPR compliance, followed by encryption key removal tools (26%) and malware removal tools (10%)

*IT professionals both inside and outside of Europe (65%) are keen to implement data protection laws similar to the framework outlined within the EU’s GDPR

End-to-end data lifecycle management processes

Clawson went on to state: “If organisations want to be ready for GDPR compliance by 2018, they will have to assess their current weaknesses. Once they’ve done so, they’ll then need to develop end-to-end data lifecycle management processes, create transparent procedures and customer communications regarding their data removal methods/tools and, finally, improve their security posturing as a whole to include detection and response and the gathering and sharing of threat intelligence.”

Due to the stringent requirements and penalties imposed by the new law, companies are advised to follow a 12-point Action Plan such that they can fully prepare themselves for GDPR compliance by 2018.

The Blancco Technology Group study involved input from 511 corporate IT professionals in the United States, Canada, Mexico, the UK, Germany, Singapore, Malaysia and Australia to understand their level of awareness, preparation and capacity to comply with the ‘right to be forgotten’ and the GDPR.

The survey was conducted last autumn and targeted IT professionals across a variety of businesses (with up to 10,000 employees). The gathered results represent 20 different business categories.


About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts