Bitdefender, a leading global cybersecurity technology company protecting 500 million users worldwide, released research today that reveals 74% of C-Level IT decision makers believe the government should have done more to explain to organisations what the General Data Protection Regulation (GDPR) is, and how companies should best prepare. Simultaneously, more than half (52%) believe that the press and/or infosec marketing departments are guilty of over-hyping the GDPR. A figure that rises to 65% amongst Chief Security Officers (CSOs).
Awareness is not understanding
Despite the intense publicity around the GDPR, 31% of Chief Information Officers (CIOs), and more than a quarter (26%) of other C-level IT decision makers admit that, even when pressed, they still would not be able to give a clear and concise description of the regulation and how their company has adhered to the framework. A further 10% of C-level respondents, say they do not know if they would be able to provide such a description. It would also appear that the upcoming GDPR is doing little to fully convince those in change to adhere to proper compliance practices.
C-Level IT decision makers are playing a game of chance with compliance
Despite the known risks of non-compliance to the GDPR, such as fines from the Information Commissioner’s Office being up to €20 million or 4% of group worldwide turnover, 83% of CSOs and 51% of Chief Information Security Officers (CISOs) say that they would be tempted to risk non-compliance to offset a complex implementation process. However, this laissez-faire response drops to only 34% amongst CIO respondents — possibly pointing to the board’s requirement for those in this role to help mitigate overall organisational risk.
A GDPR reality check is on the cards
There is less than 100 days before the General Data Protection Regulation (GDPR) is implemented on 25 May 2018. And a day of reckoning might be on the cards for those that are not prepared, as the research cites that 72% of CIOS and 66% of all C-level IT decision makers believe that the ICO will have the resources to appropriately enforce the GDPR in the UK. In fact, there’s only less than a quarter (23%) of senior IT respondents that do not believe the ICO will not have the resources to enforce the regulation.
“This study brings a new perspective to GDPR compliance. As an industry, everyone in IT can agree that the GDPR represents the most significant change to data protection practices in two decades — yet despite the hype around it, it appears that not everyone is sure exactly what it is or whether their companies are ready for it. It’s this last point that is concerning,” comments Liviu Arsene, Researcher at Bitdefender.
“In less than 100 days all companies will be held responsible for their handling of data as it relates to the protection of European citizen’s data. Companies will need to prove they are doing everything they can to protect this data, share who has control over it and even how, if at all, it is transported to other regions of the world.
“It’s not too late to act. Companies still have a small window of time in which they can establish data ownership, identify security weak spots, and shore up defences. The risks of not doing so, simply do not add up in the modern enterprise where data, and data protection, is money,” adds Arsene.