A recent HyTrust survey [PDF] of 323 attendees at the VMworld 2017 conference in Las Vegas, Nevada found that just 21 percent of respondents said their companies are concerned about GDPR compliance regulations and have a plan in plan for it.
Another 27 percent are concerned about GDPR but have no plan in place for it, 23 percent aren’t concerned and have no plan in place, and 29 percent are unaware of GDPR’s relevance to their organization.
“If you think GDPR doesn’t apply to your organization, think again,” HyTrust president and founder Eric Chiu said in a statement.
“Most organizations today are very aware of their security risks, but are not as far along with technology and processes to meet the GDPR compliance requirements, despite a May 2018 deadline that has significant fines for failure to comply,” Chiu added.
The survey also found that 22 percent of respondents are not using public clouds at all, and that the leading public cloud risk cited by respondents was “malicious or accidental exposure of workload data.”
Still, 10 percent of respondents admitted that they don’t encrypt data in public cloud deployments.
A separate Carbon Black survey of 120 business decision makers found that while 86 percent of respondents said they’re “reasonably” or “very” confident in their ability to comply with GDPR requirements regarding users’ rights to control all aspects of their personal data, 58 percent aren’t yet leveraging recognized frameworks or technologies to assess data risk.
The survey, conducted with Computing Magazine, also found that less than 10 percent of respondents believe their toolsets for classifying critical data and prioritizing risk to data are effective and easy to manage.
Twenty-four percent of respondents admitted they’re unsure whether their company conducts Data Protection Impact Assessments as required by GDPR, and 13 percent said they definitely don’t conduct them.
“In order to effectively identify and neutralize data breaches, it’s essential to know what constitutes normal network behaviors versus what is suspicious,” Carbon Black senior director for compliance and governance programs Chris Strand said in a statement.
“Failing to align the right data protection toolsets with people and processes, many organizations are at risk of non-compliance with the GDPR and, more importantly, putting their customers’ information in jeopardy,” Strand added.
Investing in Compliance
A recent IAPP-EY survey of 548 privacy professionals worldwide found that fully 95 percent of respondents, more than 75 percent of whom are located outside the EU, say the GDPR applies to their organization.
Seventy-five percent of EU survey respondents said GDPR compliance is the main reason for their privacy program. The same is true for 50 percent of U.S. respondents.
Responding organizations expect to hire a total of more than two full-time employees just to help with GDPR compliance.
Fifty-five percent of respondents plan to invest in technology to help with GDPR compliance, up from just 29 percent last year — and 63 percent plan to invest in training, up from 50 percent in 2016.
“Even though the EU’s GDPR has yet to take effect, organizations the world over are spending money on hiring and promoting privacy staff, training employees on privacy, purchasing technology to help with GDPR compliance, and pushing privacy awareness into every corner of the firm,” the report states.
Still, just 40 percent of respondents believe they’ll be fully compliant by next May’s GDPR deadline.