Is your business GDPR compliant? Probably not…

A study from Veritas Technologies, a leader in multi-cloud data management, has found that organisations across the globe mistakenly believe they are in compliance with the upcoming General Data Protection Regulation (GDPR).

According to findings, almost one-third (31%) of respondents said that their enterprise already conforms to the legislation’s key requirements. However, when those same respondents were asked about specific GDPR provisions, most provided answers that show they are unlikely to be in compliance. In fact, upon closer inspection, only 2% actually appear to be in compliance, revealing a distinct misunderstanding over regulation readiness.

>See also: GDPR compliance: what organisations need to know

“With the EU’s General Data Protection Regulations (GDPR) less than one year away, organisations around the world are deeply concerned about the impact that information non-compliance can have on their brand and loyalty of their customers,” said Jason Tooley, Vice-President, Northern Europe, Veritas.

The findings from the report show that almost half (48%) of organisations who stated they are compliant do not have full visibility over personal data loss incidents. Moreover, 61% of the same group admitted that it is difficult for their organisation to identify and report a personal data breach within 72 hours of awareness – a mandatory GDPR requirement where there is a risk to data subjects.

Any organisation that is unable to report the loss or theft of personal data – such as medical records, email addresses and passwords – to the supervisory body within this timeframe is breaking with this key requirement.

The findings in this report suggest that organisations that think they are already compliant with the GDPR should revisit their compliance strategies. Failure to meet GDPR requirements could attract a fine of up to 4% of global annual turnover or €20 million, whichever is greater.

>See also: 3 Steps to achieve better GDPR compliance

Tooley added: “The results today show that more education is needed on the tools, processes and policies to support information governance strategies that are required to comply with the GDPR requirements. Creating an automated, classification-based, policy-driven approach to GDPR is key to success and will enable organisations to accelerate their ability to meet the regulatory demands within the short timeframes available.”

Difficulty in identifying a data breach in 72 hours
Difficulty in identifying a data breach in 72 hours

The former employee threat

Restricting former employee access to corporate data and deleting their systems credentials helps to stem malicious activity and ensure that financial loss and reputational damage are avoided.

>See also: 1 in 4 UK businesses have CANCELLED preparations for GDPR

Yet, a staggering 50% of so-called compliant organisations said that former employees are still able to access internal data. These findings highlight that even the most confident organisations struggle to control former employee access and are potentially susceptible to attacks.

Challenges exercising “the right to be forgotten”

Under the GDPR, EU residents will have the right to request the removal of their personal data from an organisation’s databases. However, Veritas’ research shows many organisations that stated they already are in compliance will not be able to search, find and erase personal data if the “right to be forgotten” principle is exercised.

Of the organisations that believe they are GDPR-ready, one-fifth (18%) admitted that personal data cannot be purged or modified. A further 13% conceded that they do not have the capability to search and analyse personal data to uncover explicit and implicit references to an individual. They are also unable to accurately visualise where their data is stored, because their data sources and repositories are not clearly defined.

>See also: Why data suppression is key to GDPR compliance 

These shortcomings would render a company non-compliant under the GDPR. Organisations must ensure that personal data is only used for the reasons it was collected and is deleted when it’s no longer needed.

Demystifying GDPR responsibility

Veritas’ research also found that there is a common misunderstanding among organisations regarding the responsibility of data held in cloud environments. Almost half (49%) of the companies that believe they comply with the GDPR consider it the sole responsibility of the cloud service provider (CSP) to ensure data compliance in the cloud.

In fact, the responsibility lies with the data controller (the organisation) to ensure that the data processor (the CSP) provides sufficient GDPR guarantees. This perceived false sense of protection could lead to serious repercussions once the GDPR is enacted.

“Organisations who actively focus on development of a culture of data confidence will have a clear business advantage. Customer and supplier confidence in the use of data is critical to improved customer engagement, greater personalisation and ultimately service quality. This allows organisations to turn GDPR from being a regulatory challenge to being a business differentiator,” Tooley commented.

>See also: Majority of CISO’s begin prioritising GDPR compliance

“The complexity created through the management of data across multiple cloud and on-premise environments is accentuating the challenge and will inhibit an organisation’s ability to remain compliant in the face of the GDPR articles. For every organisation that’s currently struggling to make sense of the GDPR’s provisions, it should immediately seek an advisory service to audit its levels of preparedness and create a smooth and accelerated path towards total compliance.”

The GDPR is intended to harmonise data privacy and protection mandates across European Union (EU) member states. It requires organisations to implement the appropriate protection measures and processes to effectively govern personal data. The GDPR will take effect on May 25, 2018 and will apply to any organisation – inside or outside the EU – that offers goods or services to EU residents, or monitors their behaviour.


The UK’s largest conference for tech leadershipTech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...

Related Topics