GDPR: Companies still unprepared
08/07/2017 - Venice
According to two different studies, one conducted by Veritas and the other one by NTT Security, the new European privacy regulation will catch many companies off guard.
At least one year before the execution of GDPR (we already talked about it in this article), the 2017 NTT Security Risk Value Report interviewed a sample of 1.350 decision makers from all over the world, to find out their vision on security risk and what they plan to do to protect their data.
Here are some data produced by the survey:
- one in five managers (19%) admits to do not know the new regulation
- 33% claimed not to know where business data are physically stored
- only 47% of the companies think their critical data are safe to the present day, as a matter of fact 57% expects to manage breaches in their computer security system
- 45% of the companies in the financial field are aware of GDPR impact, while in the retail business the rate is 33%
At least one year before the execution of the new regulation – may 25th, 2018 – it looks like companies still don’t know what the regulation is about and what are the best choices to make.
Nonetheless penalties won’t be indulgent with those who won’t conform in time: penalties will reach up to 20 million euros, or the equivalent 4% of the annual turnover in case of non-compliance.
The knowledge of GDPR impact on companies is even worse outside the EU: 25% of United States managers, 26% in Australia and 29% in Hong Kong believe their businesses will not be subject to the new privacy regulation, despite the regulation is clear on the matter. It imposes the adaptation to any company that deals with European citizens personal data, regardless of its location.
The fields that proved to be better informed and aware of it are banking, finance, technologies and IT services.
Decision makers often consider GDPR as an expensive adaptation which will not bring any added value to the company. The new regulation is indeed an opportunity to innovate not only the systems but also the corporate mind-space inside the organizations: “Cybersecurity is a journey, not a destination” as reported in the NTT Executive Summary.
The second study, conducted by Veritas, confirms how the solution to this problem is still far from reality. It underlines the fact that many companies have some gaps in privacy field protection, which they cannot acknowledge. 48% of the companies that state to be compliant with the GDPR do not have a total visibility on the accidents linked to the loss of personal data. Among these, 61% admit the difficulty in identifying and reporting a data breach within 72 hours – maximum time provided for by the law – and about 50% believe that the only responsible of the compliance of data stored on their infrastructure is the cloud provider. Even in this case, the new regulation set out a very different scenario: the persons in charge of the compliance are the data controller, and they have to ensure that the external supplier acts in accordance with the new regulation.
For further information about the GDPR, contact us at firstname.lastname@example.org or at 041. 2525811