GDPR is confusing businesses, claims Trend Micro report

Businesses are struggling to understand how the GDPR will work, suggests survey

Businesses only have six months to prepare for the General Data Protection Regulation, but a recent study has found that they remain confused greatly by the law.

According research conducted by cyber security firm Trend Micro, there's a great deal of confusion among businesses about such regulations.

The study quizzed more than 1,000 global IT decision-makers about data protection laws and regulations, with 30 per cent unable to agree what "state of the art" security requirements actually entail.

There were a number of core findings in the study. In particular, 30 per cent of businesses define "state of the art" security as simply buying cyber security protection products from established market leaders.

Organisations will struggle when mandatory breach-reporting rules come into force

Meanwhile, 17 per cent believe that it's using products that pass third-party tests. And 16 per cent said they think the term responds to products that have been rated highly by analyst reports.

Additionally, 14 per cent suggested that it covers start-ups providing innovative security products, and perhaps worryingly, 12 per cent of IT bosses are more concerned about the price of products rather than whether they meet GDPR requirements.

Bharat Mistry, principal security strategist for Trend Micro, said: "There are many hurdles for businesses to overcome in establishing GDPR compliance - trying to demystify what ‘state of the art' means is but another challenge on the list.

"Regulatory enforcement bodies should offer further clarification on what ‘state of the srt' means, so businesses can ensure they're not stepping into a fine once May 2018 arrives."

The report also suggested that organisations will struggle when mandatory breach-reporting rules come into force.

Just 63 per cent of businesses have a significant notification process in place, and in countries like the US, firms have to deal with this issue on a state-by-state basis. That can slow down processes.

However, going against GDPR guidelines, 21 per cent of respondents said their companies have processes in place but avoid telling customers about data breaches.

Due to the fact that there's a lack of specific approach definitions offered by data protection authorities, companies are struggling to put the right mechanisms in place to protect customers.

Intruder identification technology is the most commonly implemented solution, with 34 per cent incorporating it into their companies.

Data leak protection (DLP) products follow closely, with 33 per cent using them. 29 per cent are using encrypted hardware to protect data.

Despite these investments, the research indicates that companies are failing to take steps to qualify their approach to this technology - relying on single purpose or legacy defences.

"Educating employees and updating data protection policies is all well and good, but if corporate data isn't protected, intruders can't be detected, and if protections aren't in place to prevent data leaks, businesses don't have a cybersecurity strategy," Mistry continued.

"There's no silver bullet to cybersecurity; it's an all-encompassing war in which multiple techniques are necessary to fight hackers' increasing pragmatism. Any business that doesn't realize this quite simply won't be compliant with the regulation."