The majority of organisations worldwide (86%) are concerned that a failure to adhere to the upcoming EU General Data Protection Regulation (GDPR) could have a major negative impact on their business. According to a study carried out by Veritas Technologies, nearly 20% said they fear that non-compliance could put them out of business. This concern emanates in the face of potential fines for non-compliance that will be as high as €20 million or 4% of annual turnover (whichever is greater).
Intended to harmonise the governance of information that relates to individuals (‘personal data’) across European Union (EU) Member States, the GDPR requires greater oversight of where and how personal data – including credit card, banking and healthcare information – is stored and transferred and how access to it is both policed and audited by organisations.
Coming into force on 25 May 2018, the GDPR will not only affect organisations within the EU, but also extend globally, impacting any organisation that offers goods or services to EU residents or monitors their behaviour (for example by tracking their buying habits). The study indicates that a substantial 47% of organisations globally harbour major doubts that they’ll meet this impending compliance deadline.
The Veritas GDPR Report 2017 finds that more than one-in-five (21%) businesses are very worried about potential lay-offs, fearing that staff reductions may be an inevitable outcome as a result of financial penalties incurred due to GDPR compliance failures.
Organisations are also worried about the impact non-compliance could have on their brand image, especially if and when a compliance failure is made public, potentially as a result of the new obligations to notify data breach occurrences to those parties immediately affected. Some 19% of those surveyed fear that negative media or social coverage could cause their organisation to lose customers. An additional one-in-ten (12%) are very concerned that their brand would be de-valued as a result of negative coverage.
Facing serious challenges
The research also shows that many organisations appear to be facing serious challenges in understanding what data they have, where that data is located and its relevance to the business – a critical first step in the GDPR compliance journey. Key findings reveal that many organisations are struggling to solve these challenges simply because they lack the proper technology needed to address compliance regulations.
There’s also widespread concern about data retention. More than 40% of organisations admit that there’s no mechanism in place to determine which data should be saved or deleted based on its value. Under the EU GDPR, companies can retain personal data if it’s still being used for the purpose that was notified to the individual concerned when the data was collected, but must delete personal data when it’s no longer required for that purpose.
“There’s just over a year to go before the EU GDPR comes into force, yet the ‘out of sight, out of mind’ mentality still exists in organisations around the world,” explained Mike Palmer, executive vice-president and chief product officer at Veritas. “It doesn’t matter if you’re based in the EU or not. If your organisation does business in the region, the regulation applies to you. A sensible next step would be to seek an advisory service that can check the level of readiness and build a strategy that ensures compliance. Any failure to react now places jobs, brand reputation and the livelihood of businesses in jeopardy.”