The massive Equifax breach that recently affected 143 million consumers would have led to hugely significant fines if the European Union’s General Data Protection Regulation (GDPR), which takes effect in May 2018, had already been in place.
Under the new rules, organizations that fail to protect sensitive data can be fined up to 4 percent of annual global turnover, or 20 million Euros, whichever is greater.
Since Equifax had $3.15 billion in operating revenue in 2016, if the breach had taken place after the GDPR had gone into effect, the company could have faced fines of up to $126 million.
What’s more, CipherCloud founder and CEO Pravin Kothari told eSecurity Planet by email, GDPR may well just be the beginning. “We expect GDPR to serve as a model for similar regulations in the U.S. and around the world, helping to protect individual privacy and thus minimize the economic threat from future breaches,” he said.
Preparing for GDPR
Still, a recent survey of more than 1,600 organizations worldwide found that 37 percent of respondents don’t know whether or not their organization needs to comply with GDPR, and 28 percent believe their organization doesn’t need to comply at all.
Just 10 percent of respondents believe their company is fully ready for GDPR, and 44 percent said they don’t know how close their organization is to compliance.
The survey, conducted by Vanson Bourne and sponsored by WatchGuard Technologies, also found that among respondents who think they don’t have to comply with GDPR, 14 percent collect personal data from EU citizens — and among those who are unsure whether they need to comply, 28 percent collect EU citizens’ data.
“Once enforcement for this new legislation begins, companies all over the world will feel its impact,” WatchGuard CTO Corey Nachreiner said in a statement. “Unfortunately, the data shows that an alarming amount of organizations are still unaware or mistaken about the necessity for GDPR compliance, leaving them three steps behind at this stage.”
“In the Americas alone, just 16 percent of organizations believe they’ll need to comply,” Nachreiner added. “With sensitive customer data and noncompliance fines at stake, every company with access to data from European citizens needs to ensure they truly understand GDPR and its ramifications.”
Thirty-five percent of respondents said their organization needs to comply with GDPR. Of those, 51 percent said they’ll need to make significant changes to their IT infrastructure in order to comply.
On the Way to Compliance
A separate STEALTHbits survey of 530 global cyber security professionals, conducted by Crowd Research Partners, found that while 90 percent of respondents are familiar with GDPR, just 32 percent said they’re either compliant or well on the way to compliance.
Thirty percent of respondents said they will need to make substantial changes to security practices and technology to be in compliance with GDPR.
The leading challenges to GDPR compliance cited by respondents were lack of budget (32 percent), limited understanding of the regulation (29 percent), and lack of expert staff with critical skills (28 percent).
Respondents said the most important initiative in meeting GDPR requirements is to make an inventory of user data and map it to protected categories (49 percent), followed by designing applications and databases to have privacy enabled by default (31 percent).