The EU General Data Protection Regulation, also known as EU GDPR, goes into effect one year from today on May 25, 2018. The legislation includes various components related to how organizations collect, store, manage and protect customer data. However, our new “EU GDPR: Countdown to Compliance” research study found that organizations in various parts of the world struggle with multiple areas of data management and protection that could make it difficult to comply with the new legislation. Here are the top three challenges facing organizations based on our survey of over 750 IT professionals in the United States, United Kingdom, France, Germany and Spain and the steps you can take to prepare for EU GDPR compliance over the coming year.
Budgets are Tight, but American and European Companies Must Increase Spending on EU GDPR-Readiness Technologies and Processes
According to our study, the amount of spending will vary across different geographic regions, and it would appear that French, Spanish and German companies will spend more than their American and British counterparts. For example, 85 percent of Spanish companies will spend up to $3.99 million, while 77 percent of French companies and 73 percent of German companies will spend the same amount.
Although American companies may not be spending as much money as their European counterparts, it’s still a positive sign that 65 percent plan to spend up to $3.99 million dollars to become EU GDPR compliance-ready. Even though they aren’t located in the European Union, our study’s findings suggest that a significant portion of them collect and store data for European citizens and residents, which makes them accountable to comply with the EU GDPR requirements. Understanding data protection processes and auditing is the next important step in this process.
Locating Customer Data Will Be Half the Battle to Fulfill ‘Right to be Forgotten’ Requests
One of the more interesting and startling findings from our study is that most organizations struggle with identifying and locating where all customer data is stored. 15 percent of German organizations admitted they don’t know where all customer data is stored, both on-premise and offsite. Plus, the United States (13 percent) and United Kingdom (12 percent) are the two countries with the second and third highest percentages of respondents who don’t know where all of their customer data is stored. For French organizations, however, the problem is somewhat worse with 20 percent saying their confidence level in their ability to find all customer data is low – ranging from extremely unconfident to slightly unconfident.
Given that organizations in both America and Europe don’t have the current bandwidth to identify and locate all customer data, it’s plausible that it would take them considerably longer to erase users’ data. This is similar to what our study found – 50 percent of American companies said it would take between 5 days and one month to remove the user content. Similarly, 51 percent of the Spanish respondents said it would take the same amount of time to erase the user content. But the outlook is slightly better for British companies, as 41 percent of the respondents said they would take this same amount of time.
Insecure and Unreliable Data Removal Methods Undermine Security and Compliance
Once organizations have solved the problem of identifying and finding where all customer data is stored, the next hurdle in complying with the EU GDPR’s ‘right to be forgotten’ requirement is properly erasing the data. But that means organizations must have the right software/technology in place to permanently and verifiably erase the data so that it can never be recovered. This is not an easy task to accomplish, especially when you consider that most organizations don’t understand the difference between insecure deletion methods and secure data erasure.
Additionally, most organizations use improper methods like dragging files and folders to the Recycle Bin on their desktop and free data wiping software, which doesn’t provide any physical proof of erasure for an audit trail and regulatory compliance. In fact, basic deletion is used by IT professionals in France (34 percent), US (28 percent), Spain (26 percent), UK (24 percent) and Germany (23 percent). Meanwhile, free data wiping solutions (without proof) are also used quite often by organizations in Spain (35 percent), UK (33 percent), US (25 percent), Germany (27 percent), US (25 percent) and France (21 percent).
To learn more about how organizations across the globe are preparing for EU GDPR compliance, download the full report: EU GDPR: Countdown to Compliance.