96% of companies still do not fully understand the European General Data Protection Regulation, GDPR, despite the regulation drawing ever nearer.
Due to come into effect in May 2018, Symantec polled 900 business and IT decisions makers in the UK, France and Germany to see where they were on the road to GDPR compliance. Some had still a way to go on the compliance journey, with 91% concerned about their ability to become compliant. The study also revealed only 22% of businesses consider compliance a top priority in the next two years, despite only 26% of respondents believing their organisation is fully prepared for the GDPR.
“These findings show businesses are not only underprepared for the GDPR – they are underpreparing,” said Kevin Isaac, senior vice president, Symantec. “There is a significant disconnect between how important privacy and security is for consumers, and its priority for businesses. The good news is there’s still time to remedy the situation – if firms take immediate action.”
Of huge concern was the 23% of those surveyed who said that their organisation will not be compliant at all, or will be only partly compliant, by 2018. Of this group, a staggering 20% believe it is even possible to become fully compliant with the GDPR, with nearly half (49%) believing that while some company departments will be able to comply, others will not. This stark lack of confidence in meeting the May 2018 deadline leaves businesses at risk of incurring significant fines.
Symantec’s State of European Data Privacy Survey revealed that many companies are not even making the necessary organisational and cultural changes they need to make ahead of May 2018. Almost one in 10 said all employees can access customers’ personal information, while 6% said that all staff can access customers’ payment details. Of great concern is the mere 14% who believed that everyone in the organisation has a responsibility to ensure data is protected.
With such wide-reaching access to people’s personal information, businesses are underestimating the challenges they will face in managing this in line with the GDPR.
Less than half of those surveyed (47%) said managing data ethically is a top priority for their organisation, and less than half again said they would be increasing security training. Just 27% plan on a complete overhaul of their approach to security for GDPR.
Peter Gooch, cyber risk partner at Deloitte, said: “Whether companies will successfully navigate the GDPR regulation hinges on their willingness to embrace privacy by design. They must also understand that good security and privacy processes can provide a substantial competitive advantage and be a driver in gaining consumer trust, in addition to being driven by regulatory requirements.”
GDPR is just one worry for businesses still trying to grapple with compliance, with a growing customer disconnect also looming. This highlights how businesses are out of touch with consumer expectations when it comes to data privacy and security.
Nearly three quarters (74%) of businesses do not think an organisation’s privacy track record is a top three consideration for customers when choosing who to do business with, despite customers asking about data security in more than a third (36%) of transactions.
Equally concerning is the finding that 35% of respondents do not believe their organisation takes an ethical approach to securing and protecting data.