Survey: Orgs Confess to Myriad GDPR Compliance Misses

A recently published Forrester survey commissioned by Microsoft details the many ways that organizations are failing to comply with the European Union's General Data Protection Regulation (GDPR), which took effect in mid-2018.

The GDPR privacy law, with potential fines of €20 million or 4 percent of an organization's annual global revenue, whichever is greater, became legally enforceable on May 25, 2018. While the GDPR is the law in the European Union, it applies worldwide to any company that handles EU-residents' data.

The Forrester study, "Security Through Simplicity," included survey responses from 481 IT security decision makers on a variety of topics, including GDPR compliance. The survey was initiated in August and completed in September. According to the survey results, over half of respondents said that their organizations had not carried out the following GDPR compliance steps:

  • Vetted third-party vendors (62 percent)
  • Hired personnel to serve as data protection officers (60 percent)
  • Collected evidence of having addressed GDPR compliance risks (59 percent)
  • Implemented "privacy by design" principles (57 percent)
  • Trained business personnel on GDPR requirements (57 percent)
  • Allocated budget to address GDPR readiness (56 percent)
  • Set up preparations for the "72-hour data breach notification requirement" (55 percent)

Those admissions came from "353 IT security decision makers in the US, Canada, the UK, Germany, Brazil, Japan, Australia, and New Zealand who prioritize digital transformation efforts," according to the study. The December study included results that varied between a 481 and 353 response count.

The respondents mostly (47 percent) were representative of smaller organizations, namely between 1,000 and 4,999 employees.

The GDPR segment of the study was just a small part. The study mostly made the case that organizations should want to achieve so-called "digital transformation," where organizations need to support users across various platforms, both internally and externally. This digital transformation goal, though, can add increased complexity. Forrester concluded that the organizations that were best prepared to reach digital transformation while also ensuring security were the ones that could modernize their operations and consolidate their use of vendors.

"Consolidating digital operations within fewer modernized systems -- allowing for identity management, data security, and threat protection across hybrid environments -- is the key to overcoming complexity," the study contended.

However, the study found that just 11 percent of the organizations represented in the survey had adopted that sort of consolidation and modernization approach as a critical priority.

Vendor consolidation and modernization by organizations would also help meet GDPR requirements by a factor of between 6 and 20 percentage points, the report contended based on the survey results.

In adding to embracing vendor consolidation and modernization, Forrester recommended that organizations take a security-by-design approach to operations. They should expand their data analytics capabilities by combining security information event management (SIEM) solutions with Big Data and user behavior information, along with network analyses. They should clamp down on "shadow IT" operations and simplify security for end users via multifactor authentication and biometric sign-ins, among other such details.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Microsoft Previews Whiteboard Support in Teams Rooms Devices

    A preview of a new Microsoft Teams Rooms feature will enable organizations to use images of physical whiteboards as a dynamic space for videoconferencing.

  • 2019 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss this year.

  • Microsoft Warns of Heightened Threat of 'BlueKeep' Attacks

    Older Windows systems using Microsoft's Remote Desktop Services are at acute risk of remote code execution attacks due to the "BlueKeep" vulnerability.

  • The 2019 Microsoft Product Roadmap

    From the next major update to Windows 10 to the next generation of HoloLens, here's what's on tap from Microsoft this year.