Connect with us

Hi, what are you looking for?



75 Percent of U.S. Companies Think GDPR Doesn’t Apply to Them

A new report focusing on Europe’s General Data Protection Regulation (GDPR) preparedness shows a worrying disconnect between Business and Security. GDPR will come into effect in May 2018, and perhaps more than any other security regulation will require close cooperation between Business, IT and Security to enable and ensure regulatory compliance across the whole organization.

A new report focusing on Europe’s General Data Protection Regulation (GDPR) preparedness shows a worrying disconnect between Business and Security. GDPR will come into effect in May 2018, and perhaps more than any other security regulation will require close cooperation between Business, IT and Security to enable and ensure regulatory compliance across the whole organization. The penalty for failure is severe: up to €20 million or 4% of global turnover — and the reach of the regulation is effectively global.

NTT Security interviewed 1,350 non-IT decision-makers across the globe. It sought to understand GDPR awareness across the business, and measure how well information security policies are being communicated across the business. The results (PDF), it suggests, are mixed. While there is some improvement in general security policies, there is poor understanding of security-related regulations in general, and GDPR in particular.

This lack of understanding starts from the very basics: only 4 in 10 respondents recognize that GDPR will affect their own organization. The reality is that it will affect any business anywhere in the world that trades with the European Union or has any customers that are citizens of the European Union.

General Data Protection Regulation (GDPR)

This lack of understanding is much higher in America where 75% of businesses do not believe that GDPR is relevant to them. This is similar to Australia (74%) and Hong Kong (71%). 

The most promising figures, unsurprisingly, come from within Europe: Switzerland (42%), and Germany and Austria (53%). More surprising, however, is the lack of awareness in the UK, where 61% of respondents are unaware of the GDPR implications. 

It’s not clear why the UK has such a low level of awareness. It could be down to Brexit and a feeling that EU regulations will no longer apply in the UK — but this would be a false assumption. The UK will still be a part of the EU when GDPR becomes part of UK law in May 2018; and even outside of Europe, UK companies — like US companies — will need to comply if they wish to trade in or with Europe. Or it could be a response to the traditional ‘light touch’ operated by the UK regulator (the Information Commissioners Office).

The general lack of awareness is more concerning for GDPR than most other security-related regulations because GDPR is not just about security and the prevention of breaches — it’s just as much about how personally identifiable data is handled. For example, a strict requirement is that without other arrangements (such as Privacy Shield) European data must not be exported from Europe. Similarly, it may not be exported to a third party without the user’s express permission.

Advertisement. Scroll to continue reading.

To meet these requirements, companies will need to know exactly where the data is held, and who has access to it. This is potentially problematic given the widespread use of cloud storage and the personal use of cloud apps. To combat this, it will be important for every employee to understand what can and cannot be done with the data, and where it can and cannot be stored. However, a third of all respondents don’t even know where their company data is stored. Of the two-thirds who know where it is stored, only 45% are definitely aware of how the new regulations will affect the storage.

Incident response is a second area that will require careful planning. Any breach likely to result in a risk to the rights and freedoms of individuals has to be notified to the relevant EU regulator within 72 hours (although full disclosure can then be staggered). Where there is a ‘high risk’ to individuals, those affected must be notified directly. Failure in this part of GDPR can result in a penalty of up to €10 million, or 2% of global turnover.

To comply with disclosure requirements, companies need to have a detailed and thorough incident response plan in place; and for this to be effective, all aspects of the business (not just IT and Security) need to know exactly what must be done, and when it must be done.

Less than half (48%) of organizations have an incident response plan, although 31% are implementing one. However, a plan is only words if people do not understand it. Within the 48% of companies with an incident response plan, only 47% of the decision-maker respondents are fully aware of what that plan includes. This is particularly worrying since an effective plan can only be put in place with widespread involvement across the business.

“In an uncertain world,” warns Garry Sidaway, an SVP at NTT Security, “there is one thing organizations can be sure of and that’s the need to mark the date of 25 May 2018 in their calendars. While the GDPR is a European data protection initiative, the impact will be felt right across the world for anyone who collects or retains personally identifiable data from any individual in Europe. Our report clearly indicates that a significant number do not yet have it on their radar or are ignoring it. Unfortunately, many organizations see compliance as a costly exercise that delivers little or no value, however, without it, they could find themselves losing business as a result, or paying large regulatory fines.”

The EU’s recent fine of €2.42 billion ($2.73 billion) on Google suggests European regulators will not hesitate in levying large fines for serious and repeated GDPR transgressions. 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...