GDPR: Countdown to new EU data rules begins…
EU GDPR is a “game-changing” piece of data protection legislation that comes into effect one year from today. While the legislation includes various components related to how organisations collect, store, manage and protect customer data, the ‘right to be forgotten’ gives individuals the right to have personal data erased. But if most organisations cannot locate where their customer data is stored (both on-premise and offsite), it will be difficult to fulfil ‘right to be forgotten’ requests.
According to a study released by Blancco Technology Group today, most organisations struggle with identifying and locating where all customer data is stored. 15% of German respondents admitted they don’t know where all customer data is stored, both on-premise and offsite The United States (1%) and United Kingdom (12 %) are the two countries with the second and third highest percentages of respondents who don’t know where all of their customer data is stored. For French organisations, however, the problem is somewhat worse with 20% saying their confidence level in their ability to find all customer data is low – ranging from extremely unconfident to slightly unconfident.
Richard Stiennon, Chief Strategy Officer, Blancco Technology Group, said, “If an organisation cannot find their customers’ data, how will they be capable of erasing the data and complying with the EU GDPR’s requirement? Once they do finally locate their customers’ data, the next step is erasing the data permanently so that it can never be recovered. But as our study reveals, it’s quite common for organisations to use insecure and unreliable data removal methods, such as basic deletion and free data wiping software, which further undermines their security and compliance to EU GDPR.”
“The first priority for all companies should be to gain a complete picture of all data that is collected, stored or processed that contains EU citizen and resident information. After that, companies must ensure that adequate means of protecting that data have been implemented, such as access being restricted to authorised personnel, proper authentication being used and proper procedures for backing up and archiving data and data sanitisation policies being implemented to remove data when it is no longer needed or requested by customers. In addition, any third parties that have access to the data must be evaluated to ensure they too have adequate controls in place.”
GDPR Preparedness Study: Key findings (Source: Blancco)
• 72-hour breach notification, records maintenance of data processing activities and ‘right to be forgotten’ top the list of EU GDPR priorities. Meeting the 72-hour data breach notification rule (25%) and maintaining written records of data processing activities (25%) both ranked as the top priorities for American organisations. British organisations are most concerned with maintaining written records of data processing activities (22%). Conversely, 22% of Spanish organisations will prioritise the appointment of a Data Protection Officer.
• Insufficient budgets, improper handling/storage of IT equipment and lack of data removal software are the biggest roadblocks to the ‘right to be forgotten.’ 12% of the American respondents cited insufficient budget as their biggest challenge, while it’s also a challenge for French companies (17%), British companies (16%) and German companies (15%). Plus, improper handling/storage of IT equipment ranks as a major challenge for Spanish companies (28%), American companies (21%) and British companies (17%).
• Insecure and unreliable data removal methods undermine security and compliance. Basic deletion is used by IT professionals in France (34%), US (28%), Spain (26%), UK (24%) and Germany (23%) to remove data. Meanwhile, free data wiping solutions are used by organisations in Spain (35%), UK (33%), US (25%), Germany (27%), US (25%) and France (21%).
• Data Protection Officers are uncommon and costly additions. 59% of American companies and 53% of British companies are most likely to assign the responsibilities of a DPO to an existing role. In Germany, however, companies would be somewhat inclined to hire a new, dedicated role (40%). Meanwhile, 16% of French companies would outsource the role to a consultant.
• Change begins with a data protection gap analysis. 41% of American organisations are currently undergoing a gap analysis and 43% of British organisations plan to start in the second half of 2017. In addition, 50% of Spanish organisations will do so in the second half of this year. But 14% of the French respondents and 14% of the German respondents will wait until 2018.