When I attended some conferences in the early spring, the European Union General Data Protection Regulation (GDPR) was the main point of conversation and conference sessions. It was bigger than ransomware and IoT security, which were the major talking points of RSA and previous cybersecurity conferences. It made sense that GDPR was taking center stage in the spring. The regulations go into effect May 2018, so these conversations served as a one-year countdown.
But it seems GDPR is back in the news – or on my radar, at least – as multiple organizations have investigated just how prepared companies are for the upcoming regulations. The Equifax breach has really put GDPR in the spotlight. In conversations I had at NEXT 2017, the general consensus was that the Equifax breach, and other big-name events like the SEC and Deloitte incidents, would have been dealt with very differently if GDPR would have begun in May 2017.
Like it or not, most businesses in the United States will have to follow GDPR. That includes small shops with an online store and with customers based in the EU. But new studies show that when May 25, 2018, comes around, a lot of companies, large and small, are going to be unprepared.
A new poll from Waterline Data found that, perhaps unsurprisingly, zero percent of the data professionals surveyed have completed the implementation of a GDPR data compliance process. However, slightly more than half have begun conducting risk assessments in preparation. And as Todd Goldman wrote for Make Big Data Work:
If you haven’t seen the research yourself, the big takeaway was this: 75 percent of the IT decision makers polled admitted it will be a struggle for their organizations to be in compliance with GDPR before the May 25, 2018 deadline. As staggering as this figure is, it didn’t surprise me. But what did surprise me was that 42 percent say GDPR simply isn’t a priority—even despite the threat of severe penalties (up to €20M or 4% of total worldwide annual revenue of the preceding year, whichever is higher).
Meanwhile, the September 2017 Netskope Cloud Report had similar findings, reporting that 75 percent of cloud services aren’t GDPR ready, adding:
Of those of cloud services in use, only 24.6 percent received a GDPR-readiness rating of “high,” based on attributes like location of where data are stored, level of encryption and data processing agreement specifics.
Clearly, with eight months to go until May, most organizations are way behind and are going to struggle to meet the deadline. But preparedness help is available. The Information Security Forum (ISF) has just released its GDPR Implementation Guide, which presents the ISF Approach for GDPR Compliance (the ISF Approach) in two phases:
- Phase A: PREPARE by discovering personal data, determining compliance status and defining the scope of a GDPR compliance programme.
- Phase B: IMPLEMENT the GDPR requirements to demonstrate sufficient levels of compliance.
As Steve Durbin, managing director, ISF, said in a formal statement:
The need for organizations to prioritize data protection and information security has never been greater. A well-funded, well-governed and enterprise-wide GDPR compliance program will demonstrate an organization’s commitment to data protection and security.
How prepared are you?
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba