Despite the fact that many businesses see the upcoming General Data Protection Regulation (GDPR) enforcement as an opportunity for improvement rather than simply a compliance issue, IBM’s Institute for Business Value found that just 36 percent of 1,500 surveyed companies will fully meet the new data security standard by the May 25 deadline.
GDPR, seen as the most significant update to consumer privacy in decades, takes effect across the European Union late next week but has implications for any organization with customers residing in EU nations. To control their risk exposure, around 70 percent of surveyed companies are doing a data dump in the lead-up to enforcement, getting rid of data they no longer need. Other internal culture shifts are underway as well; 80 percent are trimming the amount of personal customer data they hold onto, and 78 percent said they’re tightening control over the number of employees who have access to sensitive consumer information.
“GDPR will be one of the biggest disruptive forces impacting business models across industries–and its reach extends far beyond the EU borders,” Cindy Compert, CTO, Data Security & Privacy, IBM Security, said. “The onset of GDPR also comes during a time of huge distrust among consumers toward businesses ability to protect their personal data. These factors together have created a perfect storm for companies to rethink their approach to data responsibility and begin to restore the trust needed in today’s data-driven economy.”
As they go about effecting these changes organization-wide, enterprises reported obstacles ranging from data discovery and data accuracy to data processing principles.
However, the most optimistic companies are seizing this moment to evolve their organizational approach to data for the better; in fact, 84 percent of the surveyed global business leaders involved with GDPR believe that compliance could become a differentiator—especially amid a climate that scrutinizes corporate handling of consumer data. But this increased scrutiny could have an upside, some companies seem to think; more than three quarters (76 percent) expressed that under GDPR, they could be able to foster more trusted relationships with their target customers—and even develop new business opportunities.
Global businesses with customers spread out across borders voiced concerns over how to properly manage cross-border data transfers, IBM discovered, as well as the right way to go about securing consent from data subjects.
GDPR will require businesses to report data breaches to the appropriate authorities within 72 hours of the incident occurring. Despite this tightened timeline, most surveyed companies have yet to review and update their incident response policies, with just 31 percent undertaking this task, IBM found.
By contrast, the companies that see GDPR as a transformational opportunity are further along in their pre-enforcement activities, according to the survey. Most have tweaked their incident response protocols (93 percent), expressed confidence in their data discovery and data accuracy capabilities (79 percent) and are adopting a privacy- and security-first mindset for creating new products (74 percent).