Survey: Orgs Confess to Myriad GDPR Compliance Misses

A recently published Forrester survey commissioned by Microsoft details the many ways that organizations are failing to comply with the European Union's General Data Protection Regulation (GDPR), which took effect in mid-2018.

The GDPR privacy law, with potential fines of €20 million or 4 percent of an organization's annual global revenue, whichever is greater, became legally enforceable on May 25, 2018. While the GDPR is the law in the European Union, it applies worldwide to any company that handles EU-residents' data.

The Forrester study, "Security Through Simplicity," included survey responses from 481 IT security decision makers on a variety of topics, including GDPR compliance. The survey was initiated in August and completed in September. According to the survey results, over half of respondents said that their organizations had not carried out the following GDPR compliance steps:

  • Vetted third-party vendors (62 percent)
  • Hired personnel to serve as data protection officers (60 percent)
  • Collected evidence of having addressed GDPR compliance risks (59 percent)
  • Implemented "privacy by design" principles (57 percent)
  • Trained business personnel on GDPR requirements (57 percent)
  • Allocated budget to address GDPR readiness (56 percent)
  • Set up preparations for the "72-hour data breach notification requirement" (55 percent)

Those admissions came from "353 IT security decision makers in the US, Canada, the UK, Germany, Brazil, Japan, Australia, and New Zealand who prioritize digital transformation efforts," according to the study. The December study included results that varied between a 481 and 353 response count.

The respondents mostly (47 percent) were representative of smaller organizations, namely between 1,000 and 4,999 employees.

The GDPR segment of the study was just a small part. The study mostly made the case that organizations should want to achieve so-called "digital transformation," where organizations need to support users across various platforms, both internally and externally. This digital transformation goal, though, can add increased complexity. Forrester concluded that the organizations that were best prepared to reach digital transformation while also ensuring security were the ones that could modernize their operations and consolidate their use of vendors.

"Consolidating digital operations within fewer modernized systems -- allowing for identity management, data security, and threat protection across hybrid environments -- is the key to overcoming complexity," the study contended.

However, the study found that just 11 percent of the organizations represented in the survey had adopted that sort of consolidation and modernization approach as a critical priority.

Vendor consolidation and modernization by organizations would also help meet GDPR requirements by a factor of between 6 and 20 percentage points, the report contended based on the survey results.

In adding to embracing vendor consolidation and modernization, Forrester recommended that organizations take a security-by-design approach to operations. They should expand their data analytics capabilities by combining security information event management (SIEM) solutions with Big Data and user behavior information, along with network analyses. They should clamp down on "shadow IT" operations and simplify security for end users via multifactor authentication and biometric sign-ins, among other such details.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Releases Dev Box Preview

    Microsoft Dev Box, which lets developers create provisioned workspaces for specific projects, has now hit the preview stage, according to an announcement made this week.

  • The 2022 Microsoft Product Roadmap

    Microsoft has a lot in the docket for 2022, including new products like SQL Server 2022, Exchange Subscription Edition and Visual Studio 2022 for Mac.

  • .NET 6 Support Comes to Linux

    Canonical and Microsoft announced on Tuesday that devs using Ubuntu 22.04 ("Jammy") operating system can now install .NET 6,

  • Microsoft Releases Entra Verified ID Service

    Microsoft announced on Monday the "general availability" of Microsoft Entra Verified ID, a new service that promises a more deliberate way for individuals and organizations to share identity information.