The GDPR is Coming: We Shed Light on What’s Still Not Working

On May 25, the biggest shake-up to Europe’s data protection laws in almost a generation will finally take effect, after years of planning. For any US organization handling data on EU citizens, including service providers, it means you could face hefty fines of up to €20m ($24.7m) or 4% of global annual turnover for non-compliance. That should get the attention of any board. Yet awareness remains patchy. Research gathered by Trend Micro reveals that firms still aren’t investing in the right areas ahead of the regulation and could be dangerously under-prepared.

For those looking for guidance, we’ve put together a new weekly video series to show Trend Micro’s compliance journey.

Rights and obligations

The GDPR is a huge piece of legislation designed to improve consumer rights over the data organizations hold on them. As a result, it puts strict new obligations on those organizations, many of which revolve around data security and protection. The regulation is not prescriptive about what technologies firms should put in place — except for encryption and pseudonymization tools — but it does demand that firms follow the “state of the art” and implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”

In layman’s terms, this means following current best practice security approaches. However, our results showed a worrying disconnect between the law and the reality on the ground.

Unprepared and under-funded

We polled over 1,000 IT decision makers from around the world, including the US, and found just half (51%) have increased security investments to help with compliance. This is despite a quarter of respondents complaining that “lack of sufficient IT security protection” (25%) and a “lack of efficient data security” (24%) are the biggest challenges to compliance efforts.

Digging deeper, we found that less than a third (31%) have invested in encryption, despite its prominent mention in the GDPR. Data Loss Prevention (33%) and advanced technologies designed to detect network intruders (34%) were also largely ignored. It’s not all about technology, of course. Investments in security tools will only be effective if used as part of a considered security and compliance strategy, watertight policies and processes, and a focus on the people side of security. Yet, worrying, just 37% of global organizations said they’d invested in staff awareness programmes.

Part of the reason could be a lack of funds: a quarter of respondents (25%) claimed that limited resources are the biggest challenge to compliance.

The concerns don’t end there. There are strict new rules around breach notification in the GDPR. Article 34 of states that individuals must be notified within 72-hours if a breach results in a high risk to their rights and freedoms. Yet a fifth (21%) of respondents said they have a formal process in place to notify only the data protection authority, while 6% said they have no process in place at all, and 11% didn’t know if they had one or not.

A holistic approach

The GDPR is all about encouraging greater accountability and transparency among organizations that handle customer and employee data. Regulators aren’t looking to punish straightaway following the May 25 deadline, but they do want to see organizations clearly taking this seriously — showing they’ve understood the regulation and have the best interests of their customers at heart.

Our findings show there’s still some way to go before this translates into widespread adoption of best practice approaches to data protection. We must also remember that GDPR compliance is far bigger than IT security, and will require the commitment and involvement of stakeholders from all over the organization.

For those looking to see how Trend Micro has prepared for this major update to Europe’s privacy laws, check out our new video series.