Less than two-thirds (63%) of global organisations have a breach notification process in place for their customers, while only half have increased investment in IT security ahead of the GDPR despite complaints from tech staff, according to Trend Micro.

The global cyber security firm polled over 1,000 IT decision makers from businesses with 500+ employees around the world: in the UK, US, France, Italy, Spain, Netherlands, Germany, Poland, Sweden, Austria and Switzerland.

Its findings revealed that just 51% have increased security investments to help with compliance, despite a quarter of respondents complaining that “lack of sufficient IT security protection” (25%) and a “lack of efficient data security” (24%) are the biggest challenges to compliance efforts.

>See also: Cyber security industry believes GDPR is ‘stifling innovation’

Less than a third (31%) said they have invested in encryption, despite it being one of the few technologies named in the GDPR. Similarly, few organisations have spent money on data loss prevention (33%) or advanced technologies designed to detect network intruders (34%).

A quarter of organisations (25%) claimed that limited resource are the biggest challenge to compliance, providing further insight into some of the reasons behind this under-investment.

“The GDPR is clear that organisations must find state-of-the-art technologies to help repel cyber-threats and keep key data and systems secure. It’s concerning that IT leaders either don’t have the funds, or can’t find the right tools to tackle compliance,” said Simon Edwards, cyber security solution architect at Trend Micro. “Organisations need defence-in-depth combining a cross-generational blend of tools and techniques, from the endpoint to the network and hybrid cloud environment.”

Aside from a lack of investment in security, the research also revealed that just 37% of global organisations have invested in staff awareness programmes.

>See also: The winding road to GDPR compliance

The 72-hour window

The study also uncovered evidence that many firms aren’t prepared to handle new requirements to notify of a breach within 72 hours.

A fifth (21%) of respondents said they have a formal process in place to notify only the data protection authority. However, Article 34 of the GDPR states that individuals must also be notified if a breach results in a high risk to their rights and freedoms.

Some 6% of respondents said they have no process in place at all, while a worrying 11% didn’t know if they had one or not.

There are also concerns around preparations to support the so-called “right to be forgotten”, a key part of the GDPR.

>See also: Are cyber security failings exposing the GDPR readiness gap?

Although 77% of global respondents said they have adequate processes to address any customer requests concerning personal data managed by the organisation, it was a different story for data handled by third parties.

Around a third of organisations either didn’t know or had no processes/tech in place to handle right to be forgotten requests for data collected by third-party agencies (36%), cloud providers (32%) and partners (32%).