AvePoint and the Centre for Information Policy Leadership (CIPL), a global privacy and cybersecurity think tank, recently published the second annual Organisational Readiness for the European Union General Data Protection Regulation (GDPR) report today. The report tracks GDPR implementation efforts of over 235 multinational organizations.
The GDPR establishes formal regulations around data protection for organizations located in the European Union (EU) and organizations that have an EU presence. Penalties for non-compliance with the new rules can result in fines of up to 4 percent of annual global revenue, or €20 million (~$24 million). This year’s GDPR assessment is pivotal, with the GDPR effective date less than two months away.
Companies and Their Data Knowledge
The GDPR Readiness Report underlines how knowledgeable organizations are about their data contents and the data lifecycle. The report shows that knowledge levels vary widely among different aspects of GDPR implementation.
Approximately 60 percent of survey respondents are in the dark about the sensitive and confidential content they hold within their data and how it’s used or treated. Conversely, knowledge levels surrounding data security are increasing with two-thirds of organizations reporting that they have internal breach notification procedures in place. More than half report having a response plan and team in place.
“The report shows that companies are not where they need to be in terms of compliance efforts. GDPR merely exacerbates how much oversight is needed to enforce changes down to the individual level,” said AvePoint Chief Risk, Privacy and Information Security Officer Dana Simberkoff. “The long road ahead is quickly becoming a short path as we approach the May 25, 2018 date. This assessment magnifies areas that need major improvement. Knowing where you are on the GDPR readiness scale is half the battle.”
Comprehensive Programs and Consent
Compared to the previous 2017 report, building and maintaining a comprehensive privacy compliance program remains one of the highest areas of impact on organizations on the road to GDPR compliance. More than half of respondents have committed additional budget to GDPR implementation, with increases ranging from hundreds of thousands of dollars to upwards of $50 million. Organizations report technology tools and software as the number one priority for GDPR focused budget spending.
Survey data shows that respondents still rely heavily on manual methods for building and maintaining inventories of their data processing. For example, 60 percent of organizations do not have any procedures in place to identify and tag data.
“GDPR implementation consists of multiple layers of complexity,” said Bojana Bellamy, president, Centre for Information Policy Leadership. “The survey reveals that while some progress has been made in preparation for 25 May 2018, there is more work to be done by organizations that will have to step up their implementation efforts across many key-change areas. Reviewing data management strategies, building new comprehensive compliance programs, and putting in place new systems, processes and procedures to facilitate the changes are crucial to successful GDPR implementation.”
Other Key Findings
- More than a third of organizations have no framework or procedures in place to identify and classify risk to different individuals; an equal number of organizations are working on developing such a framework.
- Approximately 32 percent of organizations have committed additional staff to their GDPR implementation efforts, an increase from under a quarter as noted in the previous report.
- Over half of survey respondents have operations in the United States.
Learn More at the IAPP Global Privacy Summit
CIPL President, Bojana Bellamy, AvePoint’s Chief Risk, Privacy and Information Security Officer Dana Simberkoff, and Vice President of Product Strategy John Hodges will be available during the International Association of Privacy Professionals (IAPP) Global Privacy Summit held at the Walter E. Washington Convention Center in Washington, D.C., March 27-28.
Join Simberkoff and Hodges for the session, “Metadata is a Love Note to the Future (And Will Help You Comply With GDPR!)” on Tuesday, March 27, 4:15-5:30 p.m. ET.
Additionally, join Bellamy for the session, “Regulating for Results: Effective Use of Both Carrot and Stick” on Wednesday, March 28, 8:00-9:00 a.m. ET.
To access the full report, visit the AvePoint website. To gauge GDPR compliance progress, visit the AvePoint Privacy Impact Assessment (APIA) System website.