Information management vendor Veritas has published the results of a survey it commissioned around GDPR. The survey, which was conducted by Vanson Bourne, is a damning indictment of how unprepared businesses are less than a year away from GDPR going live. Some companies are so unprepared they fear any breach could put them out of business.
The survey looked at 900 companies across 8 countries and was conducted during February and March 2017. The respondents were from companies with at least 1,000 employees across a wide range of business sectors. Although it included countries outside of the UK such as the USA, Japan, Singapore, Australia and South Korea, they all did business with the EU.
According to Mike Palmer, executive vice president and chief product officer at Veritas: “There is just over a year to go before GDPR comes into force, yet the ‘out of sight, out of mind’ mentality still exists in organizations around the world. It doesn’t matter if you’re based in the EU or not, if your organization does business in the region, the regulation applies to you.
“A sensible next step would be to seek an advisory service that can check the level of readiness and build a strategy that ensures compliance. A failure to react now puts jobs, brand reputation and the livelihood of businesses in jeopardy.”
Enterprise Times was given access to the data to see just how worried the respondents were about GDPR.
What are the big concerns over GDPR?
The EU General Data Protection Regulation (GDPR) applies to any organisation that wants to do business with the EU. It is designed to tighten and harmonise data protection and privacy rules across the trading block. This means that organisations need to identify what is termed as Personal Identifiable Information (PII) and then protect it.
A failure to protect data could leave to fines as high as $21 million or 4% of annual turnover whichever is the higher. Turnover is also assessed on a global basis which will prevent companies sacrificing small business units.
Looking at the data is it clear that different countries have different concerns. Countries outside of Europe are more concerned about the impact on their workforce or even going completely out of business. This suggests that their European subsidiaries are operating on very low margins. Where this is about exports, it also suggests they are operating on a low profit margin in order to compete with home grown EU companies.
GDPR will also introduce a requirement to admit to a breach within a short space of time. This means that where companies were able to avoid public awareness of breaches, they will now have to deal with it. It will be yet another challenge for luxury brands for whom reputation is everything. They now have to add the risk of a public cyber breach to counterfeiting and fraud.
What are the top six concerns?
The high penalties could lead to a workforce reduction: Australia (29%), USA (26%) and South Korea (23%) were the most concerned. What is not clear is whether this is about exports or EU subsidiaries. Japan (10%) and France (16%) were least worried about this risk.
The negative media or social coverage could cause us to lose customers: Germany (24%) and the UK (23%) were most concerned about this. Data breaches are continuing to have an impact on affected companies. It is not surprising, therefore, that two of the EU’s biggest economies are worried about losing customer.
The high penalties could cause us to go out of business: Once again it is the non-EU companies US (25%), Australia (23%) and Singapore (20%) that are most concerned.
The negative media or social coverage could cause our brand to be de-valued: 25% of French companies saw brand damage as a serious risk. By comparison only 6% of US and 5% of Australian companies shared that concern.
Potential shareholder lawsuits if we have a significant data breach: Japan (14%), South Korea (12%) and Australia (11%) see lawsuits as a particular risk. Interestingly, the most litigious country around, the USA (9%), saw this as a smaller risk. UK companies (2%) don’t seem to believe there is any risk from shareholder lawsuits.
We will lose market share as prospects/customers will think that our competitors are better stewards of data than us: Singapore (14%) which has some of the toughest data laws was most concerned here. This is as much about their own investors and regulators as it is about customer perception. Surprisingly, France (10%) was second with the US (9%) a close third.
Mid-size companies more concerned than large enterprises
Skills, money and technology all contribute to an organisations ability to protect personal data. The problem for many organisations is that they don’t seem to know what they have to protect. It’s evident from some of the responses that organisations are struggling with the definition of PII. To make matters worse, GDPR is introducing a much extended lists of data that is seen as PII.
Last year the European Court of Justice rules that dynamic IP address are now considered PII. This is just one of several rulings that are likely to happen over the next year as organisations seek to test the limits of what they do and don’t have to protect. A bigger worry for organisations will be their lack of investment in data classification technology. Many have no way of marking data as sensitive or tracking sensitive information inside files.
With so much data being stored in the cloud it means that data is being moved outside their control by workers. The problem is how to take advantage of the cloud without the risks?
Investment continuing to rise
The survey shows that last year the average investment in data privacy compliance was $695.122. In the next year organisations expect to spend roughly another $1 million, on average, to ensure that their data privacy systems are compliant. The US and Japan expect spending to average over $1.2 million in the next year while Germany and Singapore are also around the $1 million mark.
Surprisingly UK companies expect an average of under $700,000 with French companies a little higher at $750,000. The difference in spending is not really explained in the survey. The number of companies in the UK, France and US that claim to be GDPR compliant or expect to be is within a few percentage points. Germany is also not far behind and it operates in a much more aggressive data protection regime than the UK.
So are UK and French companies that much better at protecting privacy? There is no evidence for this at all. Spending on data privacy compliance in both countries was the lowest of all. This does not send a very strong message to investors or the workforce. UK companies that believe GDPR will not apply once Brexit is complete, need to think again. French companies that believe it won’t enforce notification are similarly fooling themselves.
This is a small survey from which it is hard to draw widespread conclusions. What is evident is that there are companies who have well founded concerns about the risks of GDPR. Some are taking moves to invest in technology and training. However, there are also companies who are not spending the same amount of money.
GDPR has the potential to be a business ending issue. This is something that politicians, business groups, the technology industry and press have been saying for well over a year. It is the 21st Century version of the Y2K bug. Serious issues were only avoided back in 1999/2000 due to the investment and work put in ahead of time. With GDPR too few companies appear to be making the right level of investment.
Let’s hope that those companies in this survey who are concerned about their survival do not have a serious data breach.