The vast majority of organizations worldwide (86%) are concerned that a failure to adhere to the upcoming General Data Protection Regulation (GDPR) could have a major negative impact on their business, according to a study by Veritas Technologies. Nearly 20% said they fear that non-compliance could put them out of business. This is in the face of potential fines for non-compliance as high as €20 million or 4% of annual turnover – whichever is greater.Intended to harmonize the governance of information that relates to individuals (‘personal data’) across European Union (EU) member states, the GDPR requires greater oversight of where and how personal data – including credit card, banking and health information – is stored and transferred, and how access to it is policed and audited by organizations.
GDPR, which comes into force on the 25th May 2018, will not only affect organizations within the EU, but extend globally, impacting any organization that offers goods or services to EU residents, or monitors their behaviour, for example, by tracking their buying habits. The study indicates that a whopping 47% of organizations globally have major doubts that they will meet this impending compliance deadline.
Data breaches are already a major concern for business continuity and resilience professionals according to the Business Continuity Institute’s latest Horizon Scan Report, and this is only going to be exacerbated over the coming year and beyond as organizations try to develop their understanding of what compliance means.
The Veritas 2017 GDPR Report found that more than one in five (21%) are very worried about potential layoffs, fearing that staff reductions may be an inevitable outcome as a result of financial penalties incurred as a result of GDPR compliance failures.
Organizations are also worried about the impact non-compliance could have on their brand image, especially if and when a compliance failure is made public, potentially as a result of the new obligations to notify data breaches to those affected. Nineteen percent of those surveyed fear that negative media or social coverage could cause their organization to lose customers. An additional one in ten (12%) are very concerned that their brand would be de-valued as a result of negative coverage.
The research also shows that many organizations appear to be facing serious challenges in understanding what data they have, where that data is located, and its relevance to the business – a critical first step in the GDPR compliance journey. Key findings reveal that many organizations are struggling to solve these challenges because they lack the proper technology to address compliance regulations.
There is also widespread concern about data retention. More than 40% of organizations admitted that there is no mechanism in place to determine which data should be saved or deleted based on its value. Under GDPR, companies can retain personal data if it is still being used for the purpose that was notified to the individual concerned when the data was collected, but must delete personal data when it is no longer needed for that purpose.
“There is just over a year to go before GDPR comes into force, yet the ‘out of sight, out of mind’ mentality still exists in organizations around the world. It doesn’t matter if you’re based in the EU or not, if your organization does business in the region, the regulation applies to you,” said Mike Palmer, executive vice president and chief product officer at Veritas. “A sensible next step would be to seek an advisory service that can check the level of readiness and build a strategy that ensures compliance. A failure to react now puts jobs, brand reputation and the livelihood of businesses in jeopardy.”