A new report focusing on Europe’s General Data Protection Regulation (GDPR) preparedness shows a worrying disconnect between Business and Security. GDPR will come into effect in May 2018, and perhaps more than any other security regulation will require close cooperation between Business, IT and Security to enable and ensure regulatory compliance across the whole organization. The penalty for failure is severe: up to €20 million or 4% of global turnover — and the reach of the regulation is effectively global.
NTT Security interviewed 1,350 non-IT decision-makers across the globe. It sought to understand GDPR awareness across the business, and measure how well information security policies are being communicated across the business. The results (PDF), it suggests, are mixed. While there is some improvement in general security policies, there is poor understanding of security-related regulations in general, and GDPR in particular.
This lack of understanding starts from the very basics: only 4 in 10 respondents recognize that GDPR will affect their own organization. The reality is that it will affect any business anywhere in the world that trades with the European Union or has any customers that are citizens of the European Union.
This lack of understanding is much higher in America where 75% of businesses do not believe that GDPR is relevant to them. This is similar to Australia (74%) and Hong Kong (71%).
The most promising figures, unsurprisingly, come from within Europe: Switzerland (42%), and Germany and Austria (53%). More surprising, however, is the lack of awareness in the UK, where 61% of respondents are unaware of the GDPR implications.
It’s not clear why the UK has such a low level of awareness. It could be down to Brexit and a feeling that EU regulations will no longer apply in the UK — but this would be a false assumption. The UK will still be a part of the EU when GDPR becomes part of UK law in May 2018; and even outside of Europe, UK companies — like US companies — will need to comply if they wish to trade in or with Europe. Or it could be a response to the traditional ‘light touch’ operated by the UK regulator (the Information Commissioners Office).
The general lack of awareness is more concerning for GDPR than most other security-related regulations because GDPR is not just about security and the prevention of breaches — it’s just as much about how personally identifiable data is handled. For example, a strict requirement is that without other arrangements (such as Privacy Shield) European data must not be exported from Europe. Similarly, it may not be exported to a third party without the user’s express permission.
To meet these requirements, companies will need to know exactly where the data is held, and who has access to it. This is potentially problematic given the widespread use of cloud storage and the personal use of cloud apps. To combat this, it will be important for every employee to understand what can and cannot be done with the data, and where it can and cannot be stored. However, a third of all respondents don’t even know where their company data is stored. Of the two-thirds who know where it is stored, only 45% are definitely aware of how the new regulations will affect the storage.
Incident response is a second area that will require careful planning. Any breach likely to result in a risk to the rights and freedoms of individuals has to be notified to the relevant EU regulator within 72 hours (although full disclosure can then be staggered). Where there is a ‘high risk’ to individuals, those affected must be notified directly. Failure in this part of GDPR can result in a penalty of up to €10 million, or 2% of global turnover.
To comply with disclosure requirements, companies need to have a detailed and thorough incident response plan in place; and for this to be effective, all aspects of the business (not just IT and Security) need to know exactly what must be done, and when it must be done.
Less than half (48%) of organizations have an incident response plan, although 31% are implementing one. However, a plan is only words if people do not understand it. Within the 48% of companies with an incident response plan, only 47% of the decision-maker respondents are fully aware of what that plan includes. This is particularly worrying since an effective plan can only be put in place with widespread involvement across the business.
“In an uncertain world,” warns Garry Sidaway, an SVP at NTT Security, “there is one thing organizations can be sure of and that’s the need to mark the date of 25 May 2018 in their calendars. While the GDPR is a European data protection initiative, the impact will be felt right across the world for anyone who collects or retains personally identifiable data from any individual in Europe. Our report clearly indicates that a significant number do not yet have it on their radar or are ignoring it. Unfortunately, many organizations see compliance as a costly exercise that delivers little or no value, however, without it, they could find themselves losing business as a result, or paying large regulatory fines.”
The EU’s recent fine of €2.42 billion ($2.73 billion) on Google suggests European regulators will not hesitate in levying large fines for serious and repeated GDPR transgressions.