A recent Forrester report titled “Security Through Simplicity” surveyed 481 IT security decision makers regarding their GDPR readiness. Surprisingly, according to the study, most of the organizations surveyed had not carried out fundamental steps towards GDPR compliance.
A small caveat here. The December study was commissioned in August but wasn’t completed until September – well after the GDPR had come into place on May 25th. There are no excuses as to why organizations are yet to be fully GDPR compliant.
A Quick Summary of GDPR
Doubtless you know by now what the GPDR is and what it entails but it is worth a quick summary as many organizations are still failing on key points. The GDPR is a regulation that requires organizations to act more responsibly when storing, handling or processing the personal data of EU citizens. It gives EU citizens more rights over how their data is stored and handled and what data organizations can have access to. Companies that fail to meet the articles and chapters of the GDPR face potentially enormous fines of up to €20 million or 4% of annual revenue (whichever is greater).
Where Are Organizations Failing When It Comes to GDPR?
According to the survey, there were seven key areas related to GDPR that organizations were still failing at. Here is a brief summary of each key point:
1. Have you vetted your third-party vendors? It is crucial that you ensure that any third-party vendors you take on business relationships with are vetted appropriately. The GDPR takes third-party vendor vetting very seriously, requiring organizations to notify privacy professionals whenever there is a new program or acquisition that involves sharing personal data with a third party. It also requires you to determine whether that vendor is acting as the controller or processor in the transaction and that both parties are compliant with the appropriate articles and chapters related to those rules.
2. Have you appointed a DPO? If your organization handles a large quantity of data, then it’s likely you will need a DPO. Likewise, if collecting, storing, handling or monitoring sensitive data is vital to your business functions then you will need a DPO. You don’t necessarily have to outsource for this role, but it would be wise to do so if you lack the in-house GDPR knowledge.
3. Are you able to provide evidence that you have addressed GDPR risks? Would you be able to produce evidence that you had the strategies and solutions in place to deal with common security threats targeting sensitive data; including insider threats, ransomware, privilege abuse and more? Most organizations are not in the position to be able to do this.
4. Are you operating on a policy of “privacy by design”? Whenever you are adopting new technology, processes or practices, you need to make sure that data privacy is treated as the number one priority when they are being created. Many organizations are clearly still treating data privacy as an afterthought and not at the priority.
5. Do your employees know what GDPR involves? Both your marketing and your business colleagues need to be fully trained on what GDPR requires of them and the business as a whole. When surveyed, most organizations admitted to not providing adequate training in this area.
6. Do you have a budget specifically for GDPR readiness? Most organizations surveyed admitted to not having put aside a budget for GDPR readiness. This demonstrates that most organizations believe they are able to become GDPR compliant without additional spend on manpower, resources or solutions. This simply won’t be true for the vast majority of organizations.
7. Would you be able to notify relevant authorities about a breach within 72 hours? One commonly discussed requirement of the GDPR is the 72-hour breach notification requirement. To be able to detect and notify the relevant authorities about a data breach within 72 hours requires a tremendous amount of organization, strict processes and powerful monitoring solutions. Most organizations have not sorted this out yet.
If you need help with any of these GPDR requirements, we may be able to help. Our Data Security Platform, LepideAuditor, is able to help you meet many of the audit related GDPR articles and help you overcome the challenges raised in this article. For more information and a free trial of the solution, click here.