News

Survey: Orgs Confess to Myriad GDPR Compliance Misses

• By Kurt Mackie
• March 07, 2019

A recently published Forrester survey commissioned by Microsoft details the many ways that organizations are failing to comply with the European Union's General Data Protection Regulation (GDPR), which took effect in mid-2018.

The GDPR privacy law, with potential fines of €20 million or 4 percent of an organization's annual global revenue, whichever is greater, became legally enforceable on May 25, 2018. While the GDPR is the law in the European Union, it applies worldwide to any company that handles EU-residents' data.

The Forrester study, "Security Through Simplicity," included survey responses from 481 IT security decision makers on a variety of topics, including GDPR compliance. The survey was initiated in August and completed in September. According to the survey results, over half of respondents said that their organizations had not carried out the following GDPR compliance steps:

• Vetted third-party vendors (62 percent)
• Hired personnel to serve as data protection officers (60 percent)
• Collected evidence of having addressed GDPR compliance risks (59 percent)
• Implemented "privacy by design" principles (57 percent)
• Trained business personnel on GDPR requirements (57 percent)
• Allocated budget to address GDPR readiness (56 percent)
• Set up preparations for the "72-hour data breach notification requirement" (55 percent)

Those admissions came from "353 IT security decision makers in the US, Canada, the UK, Germany, Brazil, Japan, Australia, and New Zealand who prioritize digital transformation efforts," according to the study. The December study included results that varied between a 481 and 353 response count.

The respondents mostly (47 percent) were representative of smaller organizations, namely between 1,000 and 4,999 employees.

The GDPR segment of the study was just a small part. The study mostly made the case that organizations should want to achieve so-called "digital transformation," where organizations need to support users across various platforms, both internally and externally. This digital transformation goal, though, can add increased complexity. Forrester concluded that the organizations that were best prepared to reach digital transformation while also ensuring security were the ones that could modernize their operations and consolidate their use of vendors.

"Consolidating digital operations within fewer modernized systems -- allowing for identity management, data security, and threat protection across hybrid environments -- is the key to overcoming complexity," the study contended.

However, the study found that just 11 percent of the organizations represented in the survey had adopted that sort of consolidation and modernization approach as a critical priority.

Vendor consolidation and modernization by organizations would also help meet GDPR requirements by a factor of between 6 and 20 percentage points, the report contended based on the survey results.

In adding to embracing vendor consolidation and modernization, Forrester recommended that organizations take a security-by-design approach to operations. They should expand their data analytics capabilities by combining security information event management (SIEM) solutions with Big Data and user behavior information, along with network analyses. They should clamp down on "shadow IT" operations and simplify security for end users via multifactor authentication and biometric sign-ins, among other such details.