Both SMBs and large enterprises ‒ lack general awareness of the requirements of the European Union’s new General Data Protection Regulation (GDPR), how to prepare for it, and the impact of non-compliance on data security and business outcomes, according to a global survey by Dell.
Designed to strengthen protection of personal data for all EU citizens, the new regulation goes into effect in May 2018 and affects companies of all sizes, in all regions, and in all industries. Those not fully compliant when GDPR goes into effect risk significant fines, potential breaches and loss of reputation.
Survey results show that 76% of IT and business professionals in APAC (Australia, New Zealand, Singapore, Hong Kong and India) responsible for data security at both SMBs and enterprises are concerned with GDPR compliance.
Although the majority of APAC IT and business professionals’ express compliance concerns, respondents lack general awareness of GDPR, and they are neither prepared for it now nor expect to be when it goes into effect.
Almost 90% of respondents say they know few details or nothing about GDPR. Less than one in three companies feel they are prepared for GDPR today. Seventy-one percent of IT and business professionals, in APAC region, say they are not nor don’t know if their company is prepared for GDPR today, and only seven percent of these respondents have a plan for readiness.
Nearly all APAC companies (93%) don’t have a plan in place when GDPR kicks off in 2018.
Results further show that while organizations realize failure to comply with GDPR will impact both data security and business outcomes, they are unclear on the extent of change required, or the severity of penalties for non-compliance and how changes will affect the business. Eighty-five percent say they would not, or were not aware whether their organization would face penalties in its approach to data privacy if GDPR had been in effect this past year.
Of the 15% of APAC respondents who said they would face a penalty if GDPR were in place today, 30% think it would require only an easy remediation, or don’t know the penalty.
Close to 50% believe they would face a moderate financial penalty or manageable remediation work.
Almost 20% expect significant changes in current data security practices and technologies. Additional findings show that most organizations don’t feel well-prepared across security disciplines for GDPR compliance.
Less than half of respondents feel well-prepared for any of the security disciplines impacting GDPR. And only Only 16% feel well-prepared for access governance, a key security discipline for GDPR
Meanwhile, more than 70% of enterprise respondents in APAC either are not or don’t know if they are prepared for GDPR. Nearly 70% of SMB respondents in this region said they are not or don’t know if they are prepared for GDPR
The study also shows that 95% of APAC respondents say their existing practices will not satisfy the new GDPR requirements.
Tips and strategies
The EU GDPR was adopted by the European Parliament and Council this year and becomes fully effective in 2018. Below are tips and strategies to help organizations adhere to security disciplines needed for GDPR regulations, so they can protect customer personal information, and avoid the data breaches, heavy fines and loss of reputation that may result from non-compliance:
- Hire a data protection officer (DPO). A requirement for GDPR, the position can be full-time, or filled by an employee with other responsibilities or an outsourced agency. The good news is that a designated DPO can be used as a service, so some system integrators or resellers could offer this as a service to grow their businesses.
- Deploy a firm access governance solution. The ability to govern access to applications that permit access to EU citizens’ personal data ‒ particularly unstructured data ‒ is a major factor in data security and GDPR compliance. Governance generally requires periodic review of access rights by line-of-business managers and attestation (or recertification) that the permissions align with their job roles and do not compromise data security. The One Identity family of Identity and Access Management solutions provides this level of visibility and control.
- Control access management. To satisfy GDPR, employees and contractors must have the correct access permission to do their jobs and nothing more. The right identity and access management technologies that facilitate this level of control include multi-factor authentication, secure remote access, risk-based/adaptive security, granular password management, and full control over privileged user credentials and activity.
- Protect the perimeter. Deploy next-generation firewalls to reduce the network’s exposure to cyber threats, mitigate the risk of data leaks that could lead to a data breach resulting in stiff penalties assessed under GDPR, and deliver the forensic insight required to prove compliance and execute appropriate remediation following a breach.
- Facilitate secure mobile access. Foster the secure flow of covered data while enabling employees to access the corporate applications and data they need in the way they prefer, and with the devices they choose. Enhance data security (while removing access obstructions) by combining identity components, device variables and temporal factors (time, location, etc.) to deliver an adaptive, risk-based approach that ensures the right access all the time, every time, while concurrently improving data protection and GDPR compliance.
- Ensure email security. To fulfill GDPR requirements, achieve full control and visibility over email activity to mitigate the threat of phishing and other email-based attacks on protected information, while enabling the secure and compliant exchange of sensitive and confidential data.