Data virtualisation software specialist Delphix has revealed that “confusion reigns” among UK businesses around data protection requirements. 21% of UK companies questioned in a recent survey have no understanding of the forthcoming EU General Data Protection Regulation (GDPR). A further 42% of organisations in the UK have looked into some aspects of the GDPR, but not into the ‘psuedonymisation’ tools that the legislation recommends. Approximately one-in-five of those that have studied the ‘psuedonymisation’ requirements in the GDPR admit that they’re having trouble understanding it.
From June 2018, any business that offers goods and services to the EU or monitors the behaviour of EU citizens will be subject to the General Data Protection Regulation (GDPR).
“Following the results of the EU Referendum, there’s confusion about the GDPR,” commented Iain Chidgey, vice-president of international business at Delphix. “It’s important to remember the UK’s exit from the EU will not happen overnight. In the immediate future, the UK will be subject to the same data protection regime as the rest of the EU. In the long-term, the UK will still need to prove adequacy and adopt similar data protection standards to continue trading securely within Europe. As a result, organisations need to focus on making sure that their GDPR preparations are underway.”
The GDPR defines ‘pseudonymisation’ as the process of ensuring that data is held in a format that doesn’t directly identify a specific individual without the use of additional information. To address the challenges of a digital age and limit the risk to individuals that have their data breached, the GDPR incentivises organisations to ‘pseudonymise’ their data at several different points.
France currently has the best understanding of ‘psuedonymisation’ in the GDPR, with 38% of respondents to the Delphix study claiming they fully understand ‘psuedonymisation’ requirements compared to just 21% in Germany. However, confusion still reigns in Germany, with 40% of interviewees revealing that they’ve studied ‘psuedonymisation’ requirements in the GDPR, but are also having trouble understanding it.
“When it comes to protecting personal information, data masking and hashing represent the de facto standard for achieving ‘pseudonymisation’,” continued Chidgey. “Take the unprotected personal information that’s often freely available in the non-production environments used for software development, testing, training, reporting and analytics. By replacing this sensitive data with fictitious yet realistic data, businesses can neutralise data risk while at the same time preserving its value. Data masking irreversibly transforms sensitive data to eliminate risk, while also allowing organisations to demonstrate compliance with the ‘pseudonymisation’ requirements in the GDPR.”
Only a quarter of data ‘masked’
Currently, just a quarter of data in the UK and Germany is masked, compared to a third in France. Respondents in the UK claimed that the biggest challenges to data masking are that data’s ‘sprawled’ throughout an organisation with little central control (32%) and that it takes too long and delays projects (42%).
A further 26% in France and Germany also claimed that data masking tools are prohibitively expensive. As a result of the new legislation, nearly half of data in the UK and Germany will be masked by 2018 (48% and 47% respectively). In France, this figure will be even higher, rising to 60%.
On a scale of one-to-five (one being very important and five not being very important), 67% of businesses in the UK ranked the reduced likelihood of fines for non-compliance as one of the biggest benefits of ‘pseudonymisation’. A further 64% claim it will reduce the risk to their brand in the event of a data breach, with 57% believing that it will enable teams to identify, audit and report on data.
However, as organisations secure data through ‘pseudonymisation’, this will create opportunities for the business, improving the availability of secure data that can be used to accelerate IT initiatives and support innovation. Reflecting this, the biggest benefits of ‘pseudonymisation’ in France and Germany are expected to be accelerating IT and business processes that depend on access to secure data (57% and 48% respectively) and reducing the risk to the organisation’s brand in the event of a data breach (57% and 49% respectively).
A further 54% of respondents in France and 44% in Germany also claimed that it would reduce the amount of time and money invested in data protection initiatives.
“When it comes to data protection, we can be certain that regulation both inside and outside of the UK will continue to become tighter and the fines will continue to escalate,” stated Chidgey. “For many organisations, the GDPR will not only force them to ensure compliance and reduce the risk of a data breach, but will also help to usher in a new wave of IT innovation. As organisations examine how they store, manage and secure data as part of their compliance demands, there’s also an opportunity to think about how that data can be better used. Embracing new technologies, including those combining data virtualisation with data masking, ensures that organisations can ‘pseudonymise’ data once and guarantee that all subsequent copies have the same protective policies applied. This will future-proof the business from costly data breaches and ensure compliance while improving agility and time-to-market.”
Responsibility within the C-Suite
The survey also revealed that responsibility for data protection will sit firmly within the C-Suite, but few organisations have appointed a chief data officer or a chief privacy officer.
In the UK, 52% listed the CISO or head of IT security as being the ‘responsible person’. A further 18% cited the chief data officer or data protection officer followed by the CEO or CIO (17%).
Over a third (35%) of French respondents said that responsibility for data protection primarily sits with a chief data protection officer. 25% named the CISO and head of IT security and 23% the CEO or CIO.
In Germany, nearly half (44%) said that the CISO or head of IT security was responsible for data protection, followed by the CEO or CIO (30%) and the chief data officer or data protection officer (18%).
This lack of consistency regarding who’s responsible for data highlights the need for organisations to take the appropriate steps towards regaining control over data governance by introducing tools that drive standardisation and privacy by design.