Over Half (52%) do not Currently Adequately Protect Personally Identifiable Information
The survey of 500 IT decision makers did not name EU GDPR in its questions, but asked about areas of policy that would be impacted by the regulation. It found 54% could not say all personally identifiable information was protected through anonymization and encryption in all digital locations. This alone could mean companies do not meet the “appropriate level of security” requirement specified in Article 32 of the regulation.
In terms of protecting EU citizens from data breaches, the survey found companies do not currently have the processes or technology in place to adequately meet EU GDPR requirements around data breaches:
- Only 52% of all of the companies surveyed are completely confident that they can report data breaches within 72 hours of discovery to the authorities. Yet, only 55% are “completely confident” they have systems that could identify a breach from an external source, suggesting that a customer’s personal identifiable information could be traded unbeknown to the company or citizen, placing both at greater risk of fraud.
- Companies also admitted they cannot easily identify the data obtained in a breach. Less than half (46%) are completely confident that they could precisely identify the data that had been exposed in a breach.
Working with personal data
The EU GDPR regulations also state that “appropriate technical and organizational measures” should be in place to safeguard personal data and minimize data collection, processing and storage. Asked about key areas of data processing, several weaknesses were identified that could leave companies at risk, if not addressed:
- Only 41% of companies could say that data is automatically geo-fenced “every time” on servers, so it cannot be moved outside of the legal jurisdiction in which it resides.
- Just 48% of all business partners’ storage locations’ security standards are audited by companies.
- 54% of companies check on every occasion whether a customer has given permission for records to move between data processors, such as suppliers and business partners, before moving data.
- Just over a third (37%) of companies claim to have processes that allow them to remove data without delay from live systems and backups. Articles 16 and 17 of the EU GDPR specify the companies must be able to respond to citizen demands for the rectification or erasure or data in one month. 15% are currently building the systems that will give them this functionality.
Mark Hickman, COO at WinMagic, said of the findings, “A new era of data privacy and protection is just around the corner, and EU GDPR has to be a top boardroom priority. The findings show that companies have some way to go over the next 12 months if they are to ensure compliance, and must focus on some security fundamentals such as implementing encryption and data lifecycle protection technology. Compliance is not just a matter of avoiding fines; consumers care deeply about the abuse and loss of their data. The reputational damage from non-compliance can far outweigh the €20 million or 4% of global revenue fine that a company could receive. There is still time to get the technology and processes and place, but complacency is not an option.”
To receive comparative data of the different countries surveyed, please refer to the media contacts section at the bottom of this press release.
You can download the WinMagic EU GDPR readiness paper at the following link:
About the survey
The survey was conducted by independent global market research firm Vanson Bourne, throughout April 2017. 500 companies were interviewed online in the U.S., UK, France and Germany.
Based in Mississauga, Ontario, WinMagic provides key management for all encryption needs. With the leading SecureDoc product line, WinMagic continues to provide easy-to-use and robust data security solutions for wherever data is stored, providing enterprise grade encryption and key management policies for all operating systems. For more information, please visit www.winmagic.com or call 1-877-405-5220.
T: +44 (0) 7912 495 630