Locating Customer Data Will Be Half the Battle to Fulfill EU GDPR’s ‘Right to be Forgotten’

Blancco Technology Group Study Finds Global Organizations Don’t Know Where All Customer Data Is Stored and Use Unreliable Data Removal Methods to Erase User Content

Atlanta and London, May 25, 2017 – EU GDPR is a game-changing piece of data protection legislation that goes into effect one year from today on May 25, 2018. While the legislation includes various components related to how organizations collect, store, manage and protect customer data, the ‘right to be forgotten’ gives individuals the right to have personal data erased. But if most organizations cannot locate where their customer data is stored (both on-premise and offsite), it will be difficult to fulfill ‘right to be forgotten’ requests, according to the “EU GDPR: Countdown to Compliance” research study released by Blancco Technology Group today.

As our study found, most organizations struggle with identifying and locating where all customer data is stored. 15 percent of German organizations admitted they don’t know where all customer data is stored, both on-premise and offsite. Plus, the United States (13 percent) and United Kingdom (12 percent) are the two countries with the second and third highest percentages of respondents who don’t know where all of their customer data is stored. For French organizations, however, the problem is somewhat worse with 20 percent saying their confidence level in their ability to find all customer data is low – ranging from extremely unconfident to slightly unconfident.

Richard Stiennon, Chief Strategy Officer, Blancco Technology Group, said, “If an organization cannot find their customers’ data, how will they be capable of erasing the data and complying with the EU GDPR’s requirement? Once they do finally locate their customers’ data, the next step is erasing the data permanently so that it can never be recovered. But as our study reveals, it’s quite common for organizations to use insecure and unreliable data removal methods, such as basic deletion and free data wiping software, which further undermines their security and compliance to EU GDPR.”

Key findings from the study include:

  • French, Spanish and German companies will beef up spending on EU GDPR-readiness technologies and processes. 85 percent of Spanish companies will spend up to $3.99 million, while 77 percent of French companies and 73 percent of German companies will spend the same amount. However, fewer American companies (65 percent) will spend this same amount.
  • 72-hour breach notification, records maintenance of data processing activities and ‘right to be forgotten’ top the list of EU GDPR priorities. Meeting the 72-hour data breach notification rule (25 percent) and maintaining written records of data processing activities (25 percent) both ranked as the top priorities for American organizations. British organizations are most concerned with maintaining written records of data processing activities (22 percent). Conversely, 22 percent of Spanish organizations will prioritize the appointment of a Data Protection Officer.
  • Insufficient budgets, improper handling/storage of IT equipment and lack of data removal software are the biggest roadblocks to the ‘right to be forgotten.’ 12 percent of the American respondents cited insufficient budget as their biggest challenge, while it’s also a challenge for French companies (17 percent), British companies (16 percent) and German companies (15 percent). Plus, improper handling/storage of IT equipment ranks as a major challenge for Spanish companies (28 percent), American companies (21 percent) and British companies (17 percent).
  • Insecure and unreliable data removal methods undermine security and compliance. Basic deletion is used by IT professionals in France (34 percent), US (28 percent), Spain (26 percent), UK (24 percent) and Germany (23 percent) to remove data. Meanwhile, free data wiping solutions (without proof) are used by organizations in Spain (35 percent), UK (33 percent), US (25 percent), Germany (27 percent), US (25 percent) and France (21 percent).
  • Data Protection Officers are uncommon and costly additions. 59 percent of American companies and 53 percent of British companies are most likely to assign the responsibilities of a DPO to an existing role. In Germany, however, companies would be somewhat inclined to hire a new, dedicated role (40 percent). Meanwhile, 16 percent of French companies would outsource the role to a consultant.
  • Change begins with a data protection gap analysis. 41 percent of American organizations are currently undergoing a gap analysis and 43 percent of British organizations plan to start in the second half of 2017. In addition, 50 percent of Spanish organizations will do so in the second half of this year. But 14 percent of the French respondents and 14 percent of the German respondents will wait until 2018. 

Stiennon concluded, “The first priority for all companies should be to gain a complete picture of all data that is collected, stored or processed that contains EU citizen information. After that, companies must ensure that adequate means of protecting that data have been implemented, such as access being restricted to authorized personnel, proper authentication being used and proper procedures for backing up and archiving data and data sanitization policies being implemented to remove data when it is no longer needed or requested by customers. In addition, any third parties that have access to the data must be evaluated to ensure they too have adequate controls in place.”

For more details about the various requirements of the EU GDPR, visit the dedicated page on Blancco’s website.


About Blancco Technology Group

Blancco Technology Group (AIM: BLTG) is the de facto standard in data erasure and mobile device diagnostics. The Blancco Data Eraser solutions provide thousands of organizations with an absolute line of defense against costly security breaches, as well as verification of regulatory compliance through a 100% tamper-proof audit trail. Our data erasure solutions have been tested, certified, approved and recommended by 18 governing bodies around the world. No other security firm can boast this level of compliance with the most rigorous requirements set by government agencies, legal authorities and independent testing laboratories.

The Blancco Mobile Diagnostics solutions enable mobile network operators, retailers and insurers to easily, quickly and accurately identify and resolve performance issues on their customers’ mobile devices. As a result, mobile service providers can spend less time dealing with technical issues and, in turn, reduce the quantity of NTF returns, save on operational costs and increase customer satisfaction.

For more information, visit our website at www.blancco.com.


Media Contacts:

SHIFT Communications for Blancco Technology Group (US)
David Heffernan, Account Manager
T: (617) 779-1839
E: blancco@shiftcomm.com

SAY Communications for Blancco Technology Group (Europe)
Robert Hickling, Senior Account Manager
T: 44 (0) 20 8971 6427
E: blancco@saycomms.co.uk

Blancco Technology Group
Ragini Bhalla, Senior Director of Global Communications
E: ragini.bhalla@blancco.com

Latest Press Releases

Latest News

Latest Tweets