Most GDPR-compliant organisations are actually not

Only two per cent of 'GDPR-ready' organisations are actually compliant

Many of the companies that claim to be ready for the GDPR do not actually comply with its regulations, a study by Veritas Technologies has found.

31 per cent of the 900 respondents across Europe and Asia told Veritas that their organisation already matches the "key requirements" of the GDPR; however, when questioned further they were found to lack understanding and are unlikely to actually comply. Only two per cent appear fully ready for the incoming legislation.

Recent research by Computing confirms Veritas' findings: we found that only 25 per cent of UK businesses understand the GDPR; eight per cent were completely unfamiliar with it; and five per cent thought that it wouldn't apply to them because of Britain's decision to leave the EU.

Almost half of organisations that told Veritas that they were compliant did not have full visibility over personal data loss incidents. 61 per cent of this group said that it is ‘difficult' to identify and report a data breach within 72 hours; this is a mandatory requirement for the GDPR, and failure to do so will result in a fine.

Jason Tooley, Veritas' VP of Northern Europe, added: "The results today show that more education is needed on the tools, processes and policies to support information governance strategies that are required to comply with the GDPR requirements. Creating an automated, classification-based, policy-driven approach to GDPR is key to success and will enable organisations to accelerate their ability to meet the regulatory demands within the short timeframes available."

Half of so-called ‘compliant' firms said that their former employees are still able to access internal data - opening them up to another avenue of attack.

Who are you?

The ability for individuals to exercise the right to be forgotten is another GDPR requirement, and one that many companies are struggling with: not only because of the massive data visibility needs, but also due to the somewhat fuzzy definition of ‘personal data'.

According to Veritas, many ‘compliant' organisations will not be able to fully search, find and erase personal data if such a request is made. 18 per cent said that personal data cannot be purged or modified; a further 13 per cent said that they do not have the capacity to search and analyse personal data to uncover references to an individual. They are also unable to accurately visualise where such data is stored.

Who is responsible?

Computing found that many firms disagree over who should be responsible for GDPR compliance; and again, Veritas's findings tallied with our own. Regarding data held in the cloud, 49 per cent of respondents said that compliance was the sole responsibility of the cloud service provider (CSP). In fact, it is up to the data controller (the organisation) to ensure that the data processor (the CSP) provides sufficient GDPR guarantees.

"The complexity created through the management of data across multiple cloud and on-premise environments is accentuating the challenge and will inhibit an organisation's ability to remain compliant in the face of the GDPR articles," said Tooley. "For every organisation that's currently struggling to make sense of the GDPR's provisions, it should immediately seek an advisory service to audit its levels of preparedness and create a smooth and accelerated path towards total compliance."

The GDPR comes into effect on the 25^th May 2018, and will apply to any organisation that offers goods or services to EU residents. Non-compliant firms face the prospect of a fine: either €20 million or four per cent of their global turnover, whichever is higher. Computing has published a list of the top five concerns that IT leaders have around the upcoming regulation.