A new report from CA Technologies reveals that only just over a quarter (28%) of large businesses in the UK have started preparing for the European General Data Protection Regulation (GDPR), which comes into force in May 2018.
And, only 22 per cent are completely prepared and waiting to get started, according to decision makers. Preparations are unlikely to be simple; GDPR is set to ramp up the legal data privacy rights of customers, specifically with personal data being extended to include social media posts, photographs, transaction histories and IP addresses and more. Yet when asked about the safe storage of sensitive and personally identifiable data (PII), almost one in five respondents (18%) were not confident that it was stored in places where only their organisation could access it. In addition, a third (34%) are not yet able to detect PII and other sensitive data during development.
Conversely, the respondents cited confidence in board-level awareness of GDPR and ability to act. The majority of business leaders questioned (89%) were confident about their board’s readiness, with 57 per cent boasting “very” and “reasonable” levels of confidence.
“Larger businesses may well receive more attention from the public on GDPR compliance. They are likely to hold more sensitive data and have higher profits than their smaller counterparts, so the regulators will be watching closely,” Rob Coleman, UKI CTO at CA Technologies commented. “There’s a worrying disparity between confidence in the board’s preparedness and actual readiness to act when we look at the specifics around storage, security and development. GDPR needs to be embedded into every single element of the business, with programmes represented by each unit of the organisation; including HR, finance, legal and IT.”
Critical to GDPR compliance is secure storage of data and appropriate access. While 54% indicate they are “reasonably” (25%) or “quite” (29%) confident, only a quarter (27%) of respondents are “very confident” that all sensitive data and PII can only be accessed from within the organisation. Denying access to former employees when they leave the business is essential to this, but only 23% revoke access within minutes, and a worrying 3% can take a year or longer.
“There is an opportunity for organisations to do better when it comes to handling sensitive data,” adds Coleman. “GDPR won’t be letting security breaches sit unnoticed. UK businesses need to move fast to ensure that they are compliant, and that more importantly, that they are delivering the high level of security and service that their customers expect in today’s application economy.”
