Survey Shows Disparity in GDPR Preparedness and Concerns
26.5.2017 securityweek Privacy
The European General Data Protection Regulation will take effect in exactly one year from today. It will affect any company that does business with the EU, whether that company is based in Europe or elsewhere (such as the US). While there have been many surveys indicating that affected firms are far from prepared, there are few that highlight the geographic disparity in readiness.
One Year Out: Views on GDP (PDF), conducted by Vanson Bourne for Varonis, is particularly detailed. It surveyed 500 IT decision makers in organizations with more than 1,000 employees in the US (200), the UK (100), Germany (100) and France (100). Unlike many such surveys, it includes the raw data, allowing readers to dig deep into areas of interest or concern.
Unsurprisingly, given other surveys, the headline result is that 75% of respondents "face serious challenges in being compliant with the EU GDPR by 25th May 2018." This result is consistent across all four nations; but those who strongly agree range from 15% in the UK (the lowest) to 25% (the highest) in the US.
The cause of this disparity may be found in senior management's attitude towards GDPR. Overall, 42% of companies do not view compliance by the deadline as a priority. Thirteen percent of firms 'strongly agree' with this -- but the detail ranges from just 6% in the UK to 19% in the US (France and Germany are equal at 10%).
It is tempting to suggest that this is influenced by history: the UK regulator has traditionally been 'business-friendly', allowing companies to be more relaxed towards data protection than counterparts in France and Germany. US companies (apart from the major tech industries such as Google, Facebook and Microsoft), have little experience of European regulators.
But while the survey may indicate a lack of urgency at the management level, the respondents themselves indicate serious concern over the potential effect of GDPR. Overall, 75% of respondents believe that fines imposed for breaching regulations could cripple some organizations. Here, US concerns (81%) are above average, with France being the least concerned at 64%. It would appear that US practitioners are more concerned about GDPR than are their managers.
The survey also provides detail on what aspects of GDPR are most concerning. Not surprisingly, the erasure right (the right-to-be-forgotten) in Article 17 tops the list at 55% overall. Somewhat surprisingly given the apparent link between this and the American constitutional right to freedom of speech, the US respondents were the least concerned at 48%. Equally surprising, UK concern was by far the highest at 71%.
The second biggest concern is the requirement for processing activities, contained in Article 30; that is, visibility into and control over who has access to the data. Overall concern was steady at 52%, with regional variations limited to the lowest at 50% (UK) and the highest at 53% (US).
"What's most worrying about the findings," comments Matt Lock, director of sales engineers at Varonis, "is that one in four organizations doesn't have a handle on where its sensitive data resides. These companies are likely to have a nasty wake-up call in one year's time. If they don't have this fundamental insight into where sensitive data sits within their organizations and who can and is accessing it, then their chances of getting to first base with the regulations are miniscule and they are putting themselves firmly at the front of the queue for fines.”
The concern showing the greatest disparity is over data protection by design (Article 25). The least concern comes from France at 35%, with the highest from the US at 55% (this is the highest of all concerns for the US respondents). It seems to reflect a general concern that GDPR might impinge on innovation -- with the highest concern coming from perhaps the most entrepreneurial nation.
It would be wrong, however, to think that the respondents have only negative thoughts and worries about GDPR. Thirty-six percent of respondents believe it will be very beneficial for both consumers and organizations. This, however, ranges from a very low 12% in the UK to an encouraging 47% in the US. In purely business terms, 57% of UK respondents believe it will prove troublesome for organizations, while only 36% of US respondents think the same.
The top benefit for private citizens is that their personal data will be better protected (54%). The UK (61%) and the US (59%) lead France (45%) and Germany (47%) in this. The order is reversed, however, over whether GDPR will make it less likely that PII will be passed to third parties. The UK (24%) and the US (32%) are behind both France (35%) and Germany (36%). Confirming these views, very few respondents could see no benefits from GDPR -- and most of those seem to be in the UK (11%). Only 5% of US organizations hold a similar view.
A particularly interesting section of the report deals with expected outcomes from the GDPR, with wide variations on which regulator is expected to be the most stringent. Overall, Germany tops the list at 76%, with German respondents in the lead at 85%. The UK is second overall at 57% -- which could be surprising given the UK regulator's soft historical approach and the UK government's insistence that it will implement GDPR in as business-friendly manner as possible. This view is distorted, however, by the UK and US respondents' score at 76% each. France (35%) and Germany (24%) are far less confident that the UK regulator will be rigorous.
Ninety-two percent of respondents suspect a particular industry will be singled out as an example in the event of a breach. Banking is seen as the most likely at 26% overall. This figure is distorted by the UK response at 52%. Both France and Germany individually believe that any example will more likely come from the technology and telecommunications industry.
A high number of respondents (82%) also believe that a particular country will be singled out if one of their organizations is in breach of GDPR. The overall favorite is the UK at 23% -- but this is distorted by the UK respondents (48%) who are perhaps concerned with the after effects of Brexit. Noticeably, only 2% of French and 11% of German respondents have a similar view.
Nevertheless, 68% of respondents believe that a UK company (as opposed to the UK in general) will be singled out and punished because of Brexit. This belief is most strong in the US (77%) and the UK (70%), and less so, but still high, in France (58%) and Germany (57%).
What this survey shows above all is that while there is a general lack of preparedness for GDPR among most organizations, specific concerns and expectations can vary widely between the different nations. The level of detail provided goes far beyond many similar surveys, and allows individual readers to dig deeper into specific areas. The value in this is that by evaluating other countries' and organizations' concerns, individual readers can rate their own preparedness.