Posted by Neil Thacker, Deputy CISO Forcepoint
As the majority of IT and security professionals will be well aware, the European Union General Data Protection Regulation (GDPR) will become enforceable by law on 25th May 2018. But what are the biggest concerns around this among businesses? How are organisations prioritising their preparations around the legislation? And what do companies really think about the regulation?
To find out, Forcepoint recently partnered with Computing Magazine to survey 100 business decision makers, representing companies ranging in size from fewer than 250 employees to organisations with thousands, across a range of industry sectors. The full report, GDPR – The Final Countdown is available here.
When asked what they saw as the hardest aspect of GDPR to comply with, the biggest concern was the right of erasure (the right to be forgotten). This was stated by over half (51%) of those surveyed, with around one in four also saying they are not particularly or at all confident that they would be ready to honour requests made under this rule.
This suggests that good data practices have perhaps been neglected across UK businesses, with IT professionals concerned about the location or status of people’s data records. It may also indicate that companies have concerns about their data supply chains, as they begin to understand, monitor and make sense of the data flowing in and out of their organisations to date.
Surprisingly, just 27% of respondents outlined the 72 hour breach notification rule (the window businesses have to inform authorities of a data breach within) as being the biggest challenge. Similarly, only a quarter of those surveyed highlighted the requirement that personal data can only be transferred to countries/multinationals with comparable data protection standards to the EU.
Both of these elements of the regulation are expected to have a significant impact on UK businesses, and while the reasons behind the results are not clear, it is possible that the current EU-US Privacy Shield agreement has impacted the latter. This covers data transfer to and from EU and the US, meaning that many of those surveyed may already be on top of this requirement, thereby making it less of a concern. However, provisions in the GDPR go a lot further than the aforementioned legal framework, particularly on the issue of self-certification.
Just 27% of respondents identified the 72 hour breach notification rule as being the toughest feature of the GDPR to comply with, and it may be that within the range of industry types surveyed, financial, healthcare or legal firms were well represented as these companies already have strict regulation about data breach notification – or it may be that companies are genuinely confident that they will be able to comply with this requirement.
In addition, all those surveyed were also asked for their thoughts on the exact wording of data breach notification requirements, which means that even the loss of an unencrypted USB stick must be reported. Interestingly, the majority (53%) of respondents outlined that they were broadly in favour of this stipulation, but waiting to see the fine print, and also in all likelihood the first court cases brought under the regulation.
GDPR will also have an impact on businesses using cloud services with data centres based outside of the EU, as it will only take minimal use of an international public cloud to potentially put an organisation in breach. For example, storing personal information in a local folder that is then synchronised to a cloud storage service such as Box, Dropbox or OneDrive.
The vast majority of those surveyed considered the usage of cloud services to be a business risk, with only 13% of respondents discounting this risk. On deeper examination of specific concerns, the top worry was fear over not being sure where data resides/sovereignty issues (52%), closely followed by having a lack of direct control (47%) and perceived issues over compliance with laws and regulations (45%).
Forcepoint was pleased to see that on the whole, the adoption of the GDPR is viewed positively, with 41% of those surveyed agreeing that ‘most data protection regulations are necessary as they create a stable business or professional environment, even if complying can be hard at times’. More than a quarter (27%) went as far as to concur that ‘while some data protection regulations are an excessive burden, in general they ensure best practice and innovation, which is a positive thing’.
With critical data everywhere within organisations today, and all too often in parallel with personal data on employee devices, it’s challenging for businesses to see how and where data is used. A data breach, be it a malicious or unintentional act, ultimately inflicts the most damage at the points in which people interact with critical business data and intellectual property. These ‘human points’ of interaction have the potential to undermine even the most comprehensively-designed systems.
If you examine these interactions and understand how and why they occur, we believe security professionals will be better able to manage how and why people create risk. We hope that the GDPR will further encourage businesses to adopt such an approach.
For more information and to read the full report, visit: GDPR – The Final Countdown.