Large firms name their three top GDPR obstacles

Surprise! They all deal with data

Large British businesses have named data sprawl as one of the most significant challenges that they face as they try to prepare for the General Data Protection Regulation (GDPR). A Citrix study has found that these firms work with end users' personal data on 24 different systems, and share it with 48 other companies, on average.

The huge amount of personal information (big data) that companies must deal with, and uncertainty over data ownership, are two more challenges facing large (250+ employees) firms, the survey - commissioned by Citrix and questioning 500 IT leaders - showed.

Although the average was 24, one in five large firms said that they use more than 40 systems to handle their customers' personal data. Additionally, 47 per cent of respondents admitted to sharing that data with other companies: 48 on average, almost half said that they shared information with more than 50 external businesses.

Most respondents, somewhat surprisingly considering the sprawl, felt confident that they retained control over that shared data; only 15 per cent said that they lost ‘a degree of control' once it had been shared.

Information everywhere

The average large firm gathers information from 577 individuals each day; but 26 per cent said that they collect it from more than 1,000 people over the same time period, resulting in huge amounts of information that they struggle to process.

Indeed, 40 per cent of respondents told Citrix that not all of the data that they store is actually used; and eight per cent said that they never use any of it.

Even if they don't do anything with it, almost 60 per cent of firms store personal data for more than a year; and 25 per cent store it for over five years. Knowing where that data is, and being able to access it, will be a key requirement for GDPR compliance.

Divided on data ownership

Questions - and disagreements - are also widespread on ownership of data. 50 per cent of businesses think that it is owned by the organisation, and only 27 per cent that it is owned by the customer.

Understanding who owns data is another crucial component of the GDPR, and so it is not surprising that 38 per cent of respondents don't consider themselves ready. They either said that current control access policies are not sufficient to comply with the regulation, or admitted that they have ‘no idea' whether they can comply.

Only 52 per cent of large firms carry out data privacy impact assessments for ‘all or most' of the personal data they hold: an important step towards implementing data privacy policies. Ensuring that these are in place requires an organisation to know where their data is, as well as who can access it; but many companies are losing the visibility that they need, while also struggling to store data.