As per the study, organizations still lack continuous encryption for personally identifiable information
With just one month until the new EU General Data Protection Regulation Legislation (GDPR) comes into force, data security company, WinMagic, has released the findings of research that suggests many companies will not be ready when it takes effect on May 25th, 2018.
The research of 482 IT Decision Makers was conducted during March 2018 in the UK, Germany, India and the US by Viga.
The key findings in India are:
- 21% of companies in South India do not use automatic geo-fencing to prevent moving of data outside of the legal jurisdiction it resides
- 73% of companies in Central India and 74% in East India do not check whether customers have given permission for their records to move from the companies’ servers to partners’ servers
- 24% of companies in South India using cloud-based services for data know the physical storage location belonging to some services only
- 88% of Indian companies ensure that all personal identification information is anonymized and encrypted across on-premise services and devices
- 63% of companies based in North-East India do not have complete confidence in precisely identifying information that has been exposed during a data breach (internal or external)
- 39% of companies in West India are still cautious about their EU GDPR preparedness and 30% are stressed, while 40% in North-East are feeling nervous about
The major findings in other locations are:
- 62% of IT Decision Makers (ITDMs) surveyed describe themselves as ‘confident’ in the build-up, with 1in 5 (18%) saying they are nervous.
- Only half (51%) of companies say they have all the systems in place that will allow them to remove EU Citizen data from servers upon the request, including back-ups, in accordance with Articles 16 & 17 of GDPR.
- Worryingly, a fifth (21%) do not yet have any systems in place.
In many cases, companies lack the systems and processes to ensure compliance with the new legislation which affects all companies holding and processing EU citizen data. They must have “appropriate technical and organizational measures” in place to safeguard personal data, as well as minimize data collection, processing and storage. Non-compliance can lead to fines of EURO 20 million or 4% of turnover, but this is far outweighed by the reputational damage that can occur from a data breach where non-compliance has heightened the risks for citizens.
Whilst 73% believe GDPR will change the way their business will operate to meet compliance, there are a number of key areas where they will fail to meet the requirements of the legislation:
Data management delays
- A quarter (25%) admitted that systems were only part implemented, and would not allow the automated removal of citizen data from back-ups
- Just 48% of data is geo-fenced so that it cannot be accidentally, or intentionally, moved out of the legal jurisdiction under which it should be
- Many ITDMs (49%) admit not always conducting security audits of the storage locations their data processing and storage partners use
Failing to encrypt data
An average 20% of the companies surveyed lack continuous encryption for personally identifiable information across their cloud and on-premises servers, despite appropriate levels of encryption and anonymization being a requirement for GDPR compliance. Encryption also acts as a last line of defense in the event of a data breach, making data illegible when in the hands of unauthorized parties.
Continuous encryption can be complicated to implement in modern environments where infrastructure and data span both cloud and on-premises servers. Where companies lack strict security and encryption management for technologies such as virtual machines and hyper-converged infrastructure, uncontrolled data sprawl can be common, leading to silos of hidden data, and a fragmentation of governance, that leaves companies non-compliant, and at risk of heavy fines.
Poor data breach monitoring
When a data breach occurs, speed is the key element in responding to on-going attacks, but also to controlling the spread and abuse of data by cybercriminals. GDPR requires companies to report data breaches to the relevant regional authority within 72 hours of discovery, yet 41% of ITDMs believe they could not achieve this today. Perhaps more worrying is that many companies lack the tools that will identify a breach ever occurred or the data taken:
- 33% lack confidence and 6% have no confidence, that their systems would automatically identify a breach triggered by an external source.
- For internal breaches, 34% lack confidence and 6% have no confidence, that their systems would automatically identify a breach event.
- Only half (55%) believe they can precisely identify the data exposed by a breach
“Whilst companies have made general improvements in their preparations for EU General Data Protection Regulation, the survey suggests that most will not be fully compliant with the regulation when it comes into force,” said Mark Hickman, Chief Operating Officer at WinMagic. “Whilst many will have sought the necessary authorizations from EU Citizens to store their data and use it for marketing etc., they will lack the processes and protections demanded by the legislation to ensure compliance and protect personally identifiable information with which they have been entrusted. Effective control and management of the IT infrastructure spanning on-premises and cloud service providers for security and specifically encryption, will be a critical component in meeting the legislative requirements and minimizing the risks to consumers.”