The clock is ticking. Now that we’re officially less than 30 days away from EU’s General Data Protection Regulation (GDPR) from going into effect expect to see more and more statistics on the readiness of organizations, not just in the European Union, but worldwide.
One of the latest reports, a joint survey issued by law firm McDermott Will & Emery and the Ponemon Institute this week, found that just over half of respondents, 52 percent, said their organizations would be ready by next month’s deadline. 40 percent of those surveyed said their companies wouldn’t be compliant until after that deadline. The remaining eight percent said they weren’t sure when their organization would be compliant.
Analysts with Gartner say it's unlikely those numbers shift much over the next four weeks. The research and advisory firm posits that by the end of 2018 more than 50 percent of companies affected by GDPR won't be in full compliance. The culprit? Analysts claim that many companies will have to completely rework their systems and introduce policies for obtaining, using, protecting and deleting personal information.
GDPR, approved and adopted by the EU Parliament in April 2016, takes effect May 25 following a two-year transition period. Organizations who fail to comply with GDPR risk being subjected to fines of four percent of an organization's annual global turnover, or up to €20M.
McDermott Will & Emery's study surveyed 1003 individuals from companies, 582 in the U.S. and 421 in the European Union. Experts have warned for months that U.S. firms won't be immune to the rule; if an organization processes personal data from an EU resident, even if its based in the U.S, it will still be affected.
Research scheduled to be published next Monday by CompTIA, a non-profit trade association that specializes in information technology, paints a bleak picture for U.S. firms when it comes to GDPR compliance. Only 13 percent of the 400 firms it surveyed told the group they were compliant. 52 percent of the companies meanwhile said they're either still milling how GDPR affects their business; have already determined GDPR doesn't affect them, or are unsure.
|
Blog Post What is the General Data Protection Regulation (GDPR)? Everything You Need to Know |
Perhaps unsurprisingly companies continue to grapple with Article 33, the data breach notification element of the regulation.
Under the regulation companies will be required to communicate high-risk breaches to affected data subjects "without undue delay," and when feasible, within 72 hours after a becoming aware of a breach.
83 percent of those who responded to the Ponemon Institute survey said preparing for the notification aspect was the most difficult part of GDPR readiness; 68 percent who responded said that by failing to comply with the notification requirement would pose the greatest risk to their companies.
“There is a lot more work to be done for GDPR readiness, this study shows. These findings reflect the demanding nature of GDPR and the anxiety around complying with it,” Mark Schreiber, a partner at the law firm and the head of its Global Privacy and Cybersecurity Practice said this week. “A key issue here is prioritizing what can be done in the remaining time before that May deadline and acting on those high risk areas.”
With the regulation looming Gartner has urged organizations who process personal data to determine how they'll be affected by it and prioritize changes if they haven't already. Analysts are encouraging companies to appoint a Data Protection Officer, demonstrate accountability when it comes to data processing activities, check cross-border data flows, and prepare for consumers to exercise their GDPR rights.
Under GDPR EU citizens can request information on data that’s being held on them via a subject access request or SAR, essentially a written report that sums up what data companies hold on them, why it is being used and who it has been shared with.
Companies have had 18 months to prepare for GDPR in earnest but based on this week's numbers it sounds like many, both here in the U.S. and abroad, still have some work to do to ensure they know where sensitive data resides and how to manage it correctly.
