There may be just weeks to go until the introduction of EU general data protection regulation (GDPR) laws, but recent research suggests that most companies still haven’t introduced data-classification schemes and just 9 percent are leveraging automation to do so – despite growing recognition that better data management is critical for maintaining compliance in the long term.
Nearly 60 percent of respondents to AvePoint’s updated Organisational Readiness for the European Union GDPR survey said they had no procedures in place to identify and tag the data they collect – a core capability necessary to comply with a broad set of rules that include, among other things, the requirement that companies be able to produce a customer’s data upon request.
Just a fifth of respondents said they were using automated software tools to track their data’s full lifecycle, with just 9 percent using automated tagging and most respondents relying heavily on manual methods for tracking their data.
This finding would, the report’s authors warned, be “particularly significant” given the strict 72-hour deadline for notification around a data breach. However, the result was doubly surprising since 40 percent of respondents – well up from 26 percent a year earlier – said that senior management no longer considered the impact of security breach notifications to be a priority concern.
This may be surprising to many, given widespread reports that GDPR compliance is still progressing in fits and starts. One recent CenturyLink Emea report, for example, found that just 25 percent of 150 legal-sector IT decision-makers said their firms were GDPR ready.
“With an incredibly broad definition of ‘personal data’, and fines reaching up to four percent of a company’s annual revenue,” SpringCM vice president of public sector Gary Wootten warned, “these law firms are running out of time to take action… the majority are leaving themselves open to the possibility of potentially debilitating violation fines.”
Aiming to bolster compliance for stragglers – particularly in Australia, where many companies may not realise that they also face GDPR compliance requirements – industry association ISACA last week launched a GDPR Assessment tool to help enterprises gauge their readiness and identify areas where they can close reporting and functional gaps.
Technology and tools have become the biggest single area of GDPR-related spending, suggesting that many of those executives perceived that past and present investments in security tools had resolved the difficulties around breach notification. Yet while many organisations may be ready to purchase tools, many others still lack the expertise or the right tools to proceed with implementation.
GDPR-mandated data privacy officers (DPOs) should join IT and business stakeholders to ensure that acquired technologies and tools meet GDPR requirements, AvePoint’s analysts recommend, noting that “it is important that organisations critically assess whether their automated decisions in fact produce legal or similarly significant effects.”
Given what should be the advanced state of GDPR preparations, many companies risk passing the implementation date without viable compliance mechanisms in place. Gartner, for one, has forecasted that half of organisations will still be non-compliant at the end of 2018.
Organisations must focus on five key areas as a matter of priority, Gartner said, including the determination of the organisation’s role under GDPR; the appointment of a DPO; demonstration of accountability in all data processing activities; checking cross-border flows and addressing potential compliance issues through contractual updates; and preparing for consumers to exercise GDPR rights including the right to be forgotten, the right to data portability, and the right to be informed in the event of a data breach or other incident.
Just 22 percent of AvePoint respondents said they had implemented procedures to be able to extract their data in machine-readable format – up from 10 percent a year ago.
Yet while Gartner is among those identifying GDPR as an opportunity to create business value, it also noted that the legislation had created a quandary for data and analytics leaders that must balance improved access to data against increasing requirements around data risk and security.
This pressure had translated into changes in executive concerns around GDPR, with 43 percent saying that changes core processing principles would have a ‘high impact’, compared with 30 percent in 2016.
Some 32 percent of respondents had allocated additional staff to GDPR efforts, while 52 percent were committing additional budget to GDPR implementation as the deadline approaches. And 35 percent said they would not be allocating any additional resources for GDPR efforts.