Survey: Orgs Confess to Myriad GDPR Compliance Misses

A recently published Forrester survey commissioned by Microsoft details the many ways that organizations are failing to comply with the European Union's General Data Protection Regulation (GDPR), which took effect in mid-2018.

The GDPR privacy law, with potential fines of €20 million or 4 percent of an organization's annual global revenue, whichever is greater, became legally enforceable on May 25, 2018. While the GDPR is the law in the European Union, it applies worldwide to any company that handles EU-residents' data.

The Forrester study, "Security Through Simplicity," included survey responses from 481 IT security decision makers on a variety of topics, including GDPR compliance. The survey was initiated in August and completed in September. According to the survey results, over half of respondents said that their organizations had not carried out the following GDPR compliance steps:

  • Vetted third-party vendors (62 percent)
  • Hired personnel to serve as data protection officers (60 percent)
  • Collected evidence of having addressed GDPR compliance risks (59 percent)
  • Implemented "privacy by design" principles (57 percent)
  • Trained business personnel on GDPR requirements (57 percent)
  • Allocated budget to address GDPR readiness (56 percent)
  • Set up preparations for the "72-hour data breach notification requirement" (55 percent)

Those admissions came from "353 IT security decision makers in the US, Canada, the UK, Germany, Brazil, Japan, Australia, and New Zealand who prioritize digital transformation efforts," according to the study. The December study included results that varied between a 481 and 353 response count.

The respondents mostly (47 percent) were representative of smaller organizations, namely between 1,000 and 4,999 employees.

The GDPR segment of the study was just a small part. The study mostly made the case that organizations should want to achieve so-called "digital transformation," where organizations need to support users across various platforms, both internally and externally. This digital transformation goal, though, can add increased complexity. Forrester concluded that the organizations that were best prepared to reach digital transformation while also ensuring security were the ones that could modernize their operations and consolidate their use of vendors.

"Consolidating digital operations within fewer modernized systems -- allowing for identity management, data security, and threat protection across hybrid environments -- is the key to overcoming complexity," the study contended.

However, the study found that just 11 percent of the organizations represented in the survey had adopted that sort of consolidation and modernization approach as a critical priority.

Vendor consolidation and modernization by organizations would also help meet GDPR requirements by a factor of between 6 and 20 percentage points, the report contended based on the survey results.

In adding to embracing vendor consolidation and modernization, Forrester recommended that organizations take a security-by-design approach to operations. They should expand their data analytics capabilities by combining security information event management (SIEM) solutions with Big Data and user behavior information, along with network analyses. They should clamp down on "shadow IT" operations and simplify security for end users via multifactor authentication and biometric sign-ins, among other such details.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Feds Takes Action Against Russian Firms for Spying

    The U.S. Department of the Treasury has issued sanctions against Russia and a handful of Russian organizations for spying and other cyberactivities.

  • Microsoft Previews 64-Bit OneDrive Client for Windows 10

    A preview of a 64-bit OneDrive client for x64 Windows 10 systems is now available for work, school or home users.

  • The 2021 Microsoft Product Roadmap

    From Windows 10X to the next generation of Microsoft's application server products, here are the product milestones coming down the pipeline in 2021.

  • Microsoft Adds Data Loss Prevention Alerts to Compliance Toolbox

    The latest part of Microsoft's overall compliance tooling is its Data Loss Prevention Alerts Dashboard, now generally available.