Veritas Study: Organisations Worldwide Mistakenly Believe They Are GDPR Compliant
Only two percent of “GDPR-ready” organisations are compliant
Mountain View, CA, July 25, 2017 – A study from Veritas Technologies, a leader in multi-cloud data management, has found that organisations across the globe mistakenly believe they are in compliance with the upcoming General Data Protection Regulation (GDPR).
According to findings from The Veritas 2017 GDPR Report, almost one-third (31 percent) of respondents said that their enterprise already conforms to the legislation’s key requirements. However, when those same respondents were asked about specific GDPR provisions, most provided answers that show they are unlikely to be in compliance. In fact, upon closer inspection, only two percent actually appear to be in compliance, revealing a distinct misunderstanding over regulation readiness.
The findings from the report show that almost half (48 percent) of organisations who stated they are compliant do not have full visibility over personal data loss incidents. Moreover, 61 percent of the same group admitted that it is difficult for their organisation to identify and report a personal data breach within 72 hours of awareness – a mandatory GDPR requirement where there is a risk to data subjects. Any organisation that is unable to report the loss or theft of personal data – such as medical records, email addresses and passwords – to the supervisory body within this timeframe is breaking with this key requirement.
The former employee threat
Restricting former employee access to corporate data and deleting their systems credentials helps to stem malicious activity and ensure that financial loss and reputational damage are avoided. Yet, a staggering 50 percent of so-called compliant organisations said that former employees are still able to access internal data. These findings highlight that even the most confident organisations struggle to control former employee access and are potentially susceptible to attacks.
Challenges exercising “the right to be forgotten”
Under the GDPR, EU residents will have the right to request the removal of their personal data from an organisation’s databases. However, Veritas’ research shows many organisations that stated they already are in compliance will not be able to search, find and erase personal data if the “right to be forgotten” principle is exercised.
Of the organisations that believe they are GDPR-ready, one-fifth (18 percent) admitted that personal data cannot be purged or modified. A further 13 percent conceded that they do not have the capability to search and analyse personal data to uncover explicit and implicit references to an individual. They are also unable to accurately visualise where their data is stored, because their data sources and repositories are not clearly defined.
These shortcomings would render a company non-compliant under the GDPR. Organisations must ensure that personal data is only used for the reasons it was collected and is deleted when it’s no longer needed.
Demystifying GDPR responsibility
Veritas’ research also found that there is a common misunderstanding among organisations regarding the responsibility of data held in cloud environments. Almost half (49 percent) of the companies that believe they comply with the GDPR consider it the sole responsibility of the cloud service provider (CSP) to ensure data compliance in the cloud. In fact, the responsibility lies with the data controller (the organisation) to ensure that the data processor (the CSP) provides sufficient GDPR guarantees. This perceived false sense of protection could lead to serious repercussions once the GDPR is enacted.
“The GDPR dictates that multi-national corporations take data management seriously. However, the latest findings show confusion over what’s needed to comply with the regulation’s mandatory provisions. With the implementation date looming ever closer, these misconceptions need to be eradicated fast,” said Mike Palmer, executive vice president and chief product officer, Veritas.
“With regulations like the GDPR you have to understand what data you have in your organisation. But you must also know how to take action on it and how to classify it so that policy can be applied accordingly. These are the fundamentals of compliance and the findings today should be used to educate businesses about the mistaken beliefs that could put an organisation out of business.”
The GDPR is intended to harmonise data privacy and protection mandates across European Union (EU) member states. It requires organisations to implement the appropriate protection measures and processes to effectively govern personal data. The GDPR will take effect on May 25, 2018 and will apply to any organisation – inside or outside the EU – that offers goods or services to EU residents, or monitors their behavior.
In addition to this research, Veritas will announce today, Veritas Data Insight 6.0, Veritas Enterprise Vault 12.2 and the Integrated Classification Engine, a new technology that delivers powerful intelligence into data risks on-premises and in the cloud. The classification engine provides broad visibility into personal data and helps companies meet compliance regulations, like GDPR. The Integrated Classification Engine is available now in Veritas Data Insight 6.0, and will be available with Veritas Enterprise Vault 12.2 in August. Future integrations are planned across the Veritas data protection, storage and governance portfolio. Click here to view the press release.
For information on how Veritas Technologies can help your organisation become GDPR compliant visit https://www.veritas.com/gdpr.
Veritas commissioned independent technology market research specialist Vanson Bourne to undertake the research upon which this report is based.
A total of 900 business decision makers were interviewed in February and March across the US, the UK, France, Germany, Australia, Singapore, Japan and the Republic of Korea. The respondents were from organisations with at least 1,000 employees, and could be from any sector. To qualify for the research, respondents had to be from organisations that do at least some business with the EU.
Interviews were conducted online using a rigorous multi-level screening process to ensure that only suitable candidates had the opportunity to participate.
About Veritas Technologies
Veritas Technologies empowers businesses of all sizes to discover the truth in information—their most important digital asset. Using the Veritas platform, customers can accelerate their digital transformation and solve pressing IT and business challenges including multi-cloud data management, data protection, storage optimisation, compliance readiness and workload portability—with no cloud vendor lock-in. Eighty-six percent of Fortune 500 companies rely on Veritas today to reveal data insights that drive competitive advantage. Learn more at www.veritas.com or follow us on Twitter at @veritastechllc.
Forward-looking Statements: Any forward-looking indication of plans for products is preliminary and all future release dates are tentative and are subject to change at the sole discretion of Veritas. Any future release of the product or planned modifications to product capability, functionality, or feature are subject to ongoing evaluation by Veritas, may or may not be implemented, should not be considered firm commitments by Veritas, should not be relied upon in making purchasing decisions, and may not be incorporated into any contract.
Veritas, the Veritas Logo, NetBackup, Backup Exec and Enterprise Vault are trademarks or registered trademarks of Veritas Technologies LLC or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.