Key to compliance with GDPR are several fundamental data management and access requirements placed on all organisations across the EU, as well as those beyond, dealing with EU customer data, which comes into effect on May 25 2018.
The survey revealed some stark findings in regards to the specific management of individual’s personal information, with only 18% of organisations surveyed stating that they had the capability to delete data on request from all data stores. Only 9% believed they could effectively anonymise their data when required, and fewer still believed they would be able to collate and move data to another organisation at an individual’s request (8%).
In regard to other personal data management critical to GDPR requirements, such as ‘The Right To Be Forgotten’, only 16% of organisations polled said they were confident that they could immediately find data related to specific individuals. 36% indicated that it would take hours to collect this data; 25% said it would take days, 18% said it would take weeks and 5% actually admitted that there was no way they could find this data, rendering not just GDPR compliance, but also ‘The Right To Be Forgotten’ entirely ineffective.
Furthermore, the study revealed that 89% of organisations and IT personnel admit to still being confused by key elements of the regulation, revealing considerable gaps between current knowledge, and the required fundamental implementations required to establish a data management strategy to enable GDPR compliance:
· Only 21% feel they have a good understanding of what GDPR means in practice
· Only 18% said they understood what data their company has and where it lives
· Only 17% understood the potential impact of GDPR on the overall business
· Only 12% understood how GDPR would affect cloud services
· Only 11% said they understood what constituted personal data
“As a result of this lethargy, it is highly likely that we will see a number of high profile organisations hitting the headlines for contravening GDPR soon after it comes into effect next May, mainly due to a lack of understanding of the data they hold and its relationship to GDPR,” said Nigel Tozer, solutions marketing director, EMEA, Commvault.
“Becoming GDPR compliant is not simply a matter of flicking a switch. If organisations are to avoid the risk of fines, or a ban on processing personal data, in addition to potentially crippling damage to brand identity, companies need to act. Unfortunately, there is still a big disconnect between business and IT leadership on GDPR, with the business thinking there is a switch to flick, and IT still thinking it’s a business process problem.
“The truth is that realigning IT processes around personal data can actually help with digital transformation or modernisation programs, and changes to get in line with GDPR could reduce overall budget share on both programs. This sort of alignment can deliver many efficiencies and business benefits, but if not dealt with now, organisations will not be ready for May the 25th,” finished Tozer.