Many Companies Are Not Actually GDPR Compliant

Data breaches have become increasingly common in recent years. As cybercriminals have become more organized and sophisticated, the repositories of personal user data held by many companies as a core part of their business strategy have become a common target of attack. Since many organizations do not have the appropriate defenses in place to fend off these attacks, data breaches now occur on a more than daily basis.

One response to the growing threat of the data breach has been the passage of multiple data protection regulations. The EU’s General Data Protection Regulation (GDPR) is likely the most famous of these and inspired many others to be created. While the GDPR has been in active enforcement for well over a year, many organizations are still not compliant with it. As a result, these organizations are leaving themselves open to both attack and penalties from GDPR regulators for their failure to adequately protect the personal data that their customers have entrusted to them.

Introduction to the GDPR

The General Data Protection Regulation was adopted by the European Union on April 14, 2016, over two years before it went into effect on May 25, 2018. The GDPR spurred many other governments to pass and enact their own data privacy regulations and changed the data privacy landscape in several significant ways.

One of the biggest impacts of the GDPR is that it protects a much wider range of personal data in a much greater territorial scope than previous regulations. Under the GDPR, any data that can be used to uniquely identify an EU citizen is protected, and even organizations outside the EU are subject to the regulation and must comply with its terms in order to handle EU citizen data. The GDPR dramatically restricts how an organization can collect a person’s data and what they are permitted to do with it after collection. The regulation also provides data subjects with many more rights than they had previously regarding their personal data that is collected, stored, and processed by organizations.

The State of GDPR Compliance

Despite the two years that they had to prepare, many organizations are not compliant with the GDPR over a year after it went into effect. As of June 2019, only 28% of companies consider themselves compliant with the GDPR. This is a far cry from the 78% of organizations that anticipated being compliant by June 2018, a year earlier.

The demographics of compliant organizations are also interesting. Despite the fact that the GDPR is an EU regulation, the United States is the most compliant country, with a 35% compliance rate.

One of the biggest issues with achieving GDPR compliance is a lack of understanding of the regulations, cited by 36% of organizations as a major challenge. The GDPR can be complicated and is designed to have deliberately general wording in order to provide it the flexibility to adapt to changing cyber threats and solutions. As a result, organizations can have difficulty mapping the goals and security requirements of the regulation to concrete security controls that they can implement in their environments to achieve compliance.

However, it has been shown that organizations also have difficulty understanding their responsibilities under the GDPR. A talk at the Black Hat cybersecurity conference in August 2019 demonstrated this through an experiment. With the permission of his fiancée, a security researcher contacted several companies in her name requesting personal information. Many companies provided the information in exchange for answering simple questions (email address and phone number) or easily-forged documentation. Other organizations claimed not to be liable to the GDPR. In both of these cases, the organizations questioned demonstrated that they do not actually understand their responsibilities under the GDPR.

The Importance of GDPR Compliance

Understanding an organization’s responsibilities under the GDPR and achieving compliance is important for businesses in several different ways. The first reason to achieve compliance is to avoid the regulatory penalties that can come with non-compliance. GDPR regulators can seize up to 4% of global turnover or 20 million Euros (whichever is greater) in fines for a breach or up to 2% of global turnover for non-compliance that does not result in a breach. GDPR regulators have demonstrated a willingness to exercise their powers as demonstrated by the large fines levied against British Airways and the Marriott hotel chain.

However, organizations that have achieved GDPR compliance have found that positive incentives exist for doing so as well. 92% of organizations who have achieved compliance with the GDPR found that it provided a competitive advantage to them. With the deluge of data breaches in recent years, consumers have come to prioritize a willingness and commitment to protecting their personal data when making purchase decisions.

While achieving compliance with the GDPR can be a complicated matter, the first step of achieving compliance with any data privacy regulation is ensuring that an organization’s stores of personal data are protected against attack.

A valuable first step in complying with the GDPR is deploying a data protection solution that is capable of identifying repositories of data that should be protected under the regulation and ensuring that the appropriate protections are in place to ensure its security. A solution with an integrated understanding of the GDPR requirements and the ability to automatically generate compliance reports can dramatically decrease the cost and complexity of complying with the GDPR and other data privacy regulations.