A software firm released the results of a European survey to see how businesses were preparing for the new European Union data protection regulation, The General Data Protection Regulation, (GDPR). The GDPR draft has been passed by EU Parliament and is due to become law by the end of this year. It is expected to impact any organisation which collects, stores, processes and shares personal data on employees, customers or partners. The regulation is designed to unify and simplify data protection across 28 EU countries and includes severe penalties for non-compliance of up to two percent of a company’s annual global turnover.
Over two thirds (68 per cent) of IT people asked say that keeping up to date with changing data protection regulatory requirements is a financial burden on their business. British businesses feel most strongly about this (77 per cent), compared with 66 per cent in France and 61 per cent in Germany. Near seven in ten, 69 per cent of IT professionals believe they will need to invest in new technologies and services to help them prepare for the impact of GDPR. 62 per cent think they will need to invest in encryption technologies, 61 per cent in analytic and reporting technologies, 53 per cent plan to invest in perimeter security technologies and 42 per cent in file sharing technologies.
Over half (51 per cent) report that their business has already allocated training budget to help staff understand and comply with GDPR. However, just under a third (30 per cent) have not. Almost one fifth (19 per cent) have no idea whether training budget has been allocated. Businesses in France report the most instances of training budget having been allocated, (56 per cent), compared to 49 per cent in Germany and 48 per cent in the United Kingdom.
Exactly half of IT professionals also say they have allocated internal training resource to help staff understand and comply with the new regulation. However, almost one third, (32 per cent), have no internal resource allocated for this yet. The United Kingdom appears to be the least prepared here, with 40 per cent having made no provision compared to their German (33 per cent) and French (24 per cent) counterparts.
Whilst over two thirds (69 per cent) of IT professionals acknowledge that GDPR will impact their business, almost one fifth (18 per cent) still have no idea whether changes in the regulation will apply to them. This is despite confirming that they do store and process personal data.
These numbers are however an improvement on awareness of the regulation at this time last year, when a compliance survey by Ipswitch found that more than half (56 per cent) of respondents could not accurately identify what ‘GDPR’ meant.
Overall, 90 per cent of those surveyed said that their businesses store personal data, 86 per cent process personal data and over a third (40 per cent) share data externally. 62 per cent of those that share personal data use email to do so. A quarter are using portable storage such as USBs or CDs, almost a quarter (22 per cent) use the postal system and 43 per cent use cloud based file sharing websites.
David Juitt, chief security architect at Ipswitch, said: “It’s encouraging to see that there is far greater awareness of the changes than at this time last year. Just over half of businesses are starting to prepare with training courses for staff.However, whilst IT professionals recognise the need to align data protection regulation to keep up with modern data sharing practices and the globalisation of data, it is clear that compliance comes at a price for most. Whilst many are trying to prepare by organising training and assigning resource, there’s clearly a very large expectation of a need to invest in new technologies.”
An authority on information security management, David Lacey said: “The draft GDPR bill is more stringent than any data protection regulation we’ve seen before and it outlines financial penalties far greater than before. Whilst businesses may not be expected to be fully compliant until 2017, it seems that there is growing awareness that any solutions or services invested in now will have a direct impact on how ‘GDPR ready’ that organisation will be. Many organisations I speak to are already preparing a ‘to do’ list and auditing their existing data to determine whether they meet the new standards, and if not, what work needs to be done.
“The Ipswitch survey findings demonstrate very clearly that IT professionals are realising not only will they need to review policy and process, but a financial, training and resource investment will also be needed. File sharing practice, perimeter defences and encryption technologies are just a few of the processes and solutions that need to be reviewed. It is a time intensive and costly process, however, it is also an essential one to avoid being caught out.”
