Compuware Corporation survey finds majority of businesses “underprepared” for EU GDPR

Compuware Corporation has released the results of new research revealing that many European and US businesses are ill-prepared for the recently-agreed EU General Data Protection Regulation (GDPR) and, as a result, at risk of falling foul of its rules around the use and control of personal data.

According to the survey*, just over half (55%) of European businesses are well briefed on the GDPR and its impact on the way that customer data can be handled. Over half (52%) of US businesses surveyed hold European customer data, meaning they too will need to comply with the new regulations. Just 43% of US respondents claim to be well-briefed on the GDPR and its impact. Despite the risks of failing to comply, 68% of businesses don’t yet have a comprehensive plan in place for how they will respond to the impact of the GDPR.

Factors contributing towards the difficulty of dealing with EU GDPR compliance include growing IT complexity, the Agile and DevOps-enabled proliferation of new applications, ongoing collection of more data and IT outsourcing.

The majority of respondents (63%) admitted to the researchers that data complexity is one of the biggest hurdles to achieving compliance, while a further 53% said that securing and handling customers’ consent for their data to be used would be another major issue to confront. 

Poor control of the ‘Right to be Forgotten’

The research indicates that businesses are struggling to control their data, which will make it difficult to comply with the ‘Right to be Forgotten’ mandate laid out in the GDPR.

Key findings of the Compuware Corporation research include:

*68% of respondents said the complexity of modern IT services means that they cannot always know where customer data actually resides

*Over half (53%) said that it’s particularly difficult to know where all of their test data is

*Just over half (51%) of CIOs can locate all of an individual’s personal data quickly, while nearly a third (30%) admitted they couldn’t guarantee they would be able to do so at all

*Respondents also stated that the use of ‘outsourcers’ (81%) and mobile technology (63%) is making it even harder to keep track of where customer data resides

*Nearly half (45%) of respondents said it would take their business much time and resources to comply with any request to show an individual all of the data that the organisation holds on him or her across all of its systems

*Just over half (52%) would then be able to remove all of that data efficiently should the individual exercise their ‘Right to be Forgotten’

“To comply with the GDPR, businesses need to keep stricter control of where customer data resides,” said Dr Elizabeth Maxwell, technical director (EMEA) at Compuware Corporation. “If they don’t have a firm handle on where every copy of customer data resides across all of their systems, businesses could lose countless man-hours conducting manual searches for the data of those exercising their ‘Right to be Forgotten’. Even then, they may not identify every copy, leaving them at risk of non-compliance.” 

Testing the boundaries of consent

The research found that 86% of businesses use live customer data to test applications during software development. However, just one-in-five respondents ask for explicit customer consent for their data to be used in testing, leaving the majority non-compliant with the GDPR.

Alarmingly, 43% of those that test applications with live data are further putting customer privacy at risk as they cannot guarantee data is depersonalised before it’s used.

“Using customer data to test applications is fairly standard practice, but there’s no need or excuse for not first depersonalising it,” continued Maxwell. “Companies that fail to mask data before using it to test applications could soon find themselves served with an eye-watering fine from the EU regulators. As well as being better for protecting customer privacy, ‘anonymising’ test data eliminates the need to obtain customers’ explicit consent for it to be used in this way, which over half (53%) of CIOs identified as one of the biggest hurdles in GDPR compliance.” 

*Commissioned by Compuware Corporation and conducted by independent research company Vanson Bourne, the survey was administered to 400 CIOs at large companies covering a cross-section of vertical markets in the UK France, Germany, Italy, Spain and the US

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts