DevSecOps: Balance Speed and Agility with Security and Compliance REGISTER >
With the deadline for compliance with the EU General Data Protection Regulation (GDPR) just under a year away, a recent Varonis survey of 500 IT decision makers in the U.S., U.K., France and Germany found that over 90 percent of respondents anticipate challenges in complying with GDPR.
Fifty-five percent face challenges in meeting Article 17, which requires companies to find and target specific data and automate removal when requested by the consumer.
Fifty-two percent face challenges in identifying personal information on their systems, understanding who has access to it and who is accessing it, and knowing when this data can and should be deleted according to Article 30.
Fifty percent expect to struggle with Article 32, which requires organizations to ensure least privilege access, implement accountability via data owners and provide reports that policies and processes are in place and successful.
"Almost one third of respondents have not conducted a data impact assessment in order to determine who has access to personal data according to Article 35 of the regulation," Varonis technical evangelist Brian Vecci said in a statement.
"This means that they don't have a handle one where their most sensitive data resides," Vecci added. "You can't catch what you can't see, and if organizations aren't assessing their data risk profiles now, how do they know they're protecting their data from a breach today, let alone meeting these regulations in one year's time?"
Up to $4 Million in Costs
A separate Blancco Technology survey of more than 750 IT professionals found that 85 percent of Spanish companies, 77 percent of French companies, 73 percent of German companies and 65 percent of U.S. companies expect to spend up to $3.99 million on GDPR-readiness technologies and processes.
Fifteen percent of German respondents, 13 percent of U.S. respondents and 12 percent of U.K. respondents don't know where all of their customer data is stored.
Top GDPR priorities for U.S. organizations, the survey found, include meeting the 72-hour data breach notification rule (25 percent) and maintaining written records of data processing activities (25 percent). Key challenges to the "right to be forgotten" for U.S. respondents include improper handling/storage of IT equipment (21 percent) and insufficient budget (12 percent).
"The first priority for all companies should be to gain a complete picture of all data that is collected, stored or processed that contains EU citizen information," Blancco Technology Group chief strategy officer Richard Stiennon said in a statement.
"After that, companies must ensure that adequate means of protecting that data have been implemented, such as access being restricted to authorized personnel, proper authentication being used and proper procedures for backing up and archiving data and data sanitization policies being implemented to remove data when it is no longer needed or requested by customer," Stiennon added. "In addition, any third parties that have access to the data must be evaluated to ensure they too have adequate controls in place."
An earlier Imperva survey of 170 security professionals conducted at RSA Conference 2017 found that 51 percent of respondents said GDPR would impact their companies, while almost a third said it wouldn't impact them.
Forty-three percent of respondents said they're evaluating or implementing changes in preparation for GDPR, while 29 percent said they're not preparing and 28 percent said they're unaware of specific preparations.
"U.S. companies should be evaluating the impact GDPR will have on their data practices, given the major fines for non-compliance," Imperva chief product strategist Terry Ray said in a statement. "Companies need to begin the GDPR legwork now by documenting how personal data is collected and processed in their organizations."
SecureAuth CISO Danielle Jackson told eSecurity Planet by email that GDPR will change the way organizations view, store and secure their data. "For CISOs and their organizations, it means a new standard for data protection and ensuring the right policies are in place to ensure compliance," she said.
"With the one-year countdown starting, CISOs need to talk to their organization about introducing transparency to what data is being collected, how it is categorized and secured, and when personal information is exposed in a breach," Jackson added. "Now is the time for CISOs to put good practices in place."