Know Your Data: 2nd Annual GDPR Readiness Report Reveals That 60% of Organizations Are in the Dark
The report, “Organisational Readiness for the European Union General Data Protection Regulation (GDPR),” by AvePoint and CIPL shows that more strides must be made in many key aspects of GDPR implementation.
AvePoint (NASDAQ: AVPT), the global leader in data security, governance, and resilience, published the 2nd annual Organisational Readiness for the European Union General Data Protection Regulation (GDPR) report today. The report tracks GDPR implementation efforts of over 235 multinational organizations.
The GDPR establishes formal regulations around data protection for organisations located in the European Union (EU) and organisations that have an EU presence. Penalties for non-compliance with the new rules can result in fines of up to 4 percent of annual global revenue or €20 million. This year’s GDPR assessment is pivotal, with the GDPR effective date less than two months away.
Companies and Their Data Knowledge
The GDPR Readiness Report underlines how knowledgeable organizations are about their data contents and the data lifecycle. The report shows that knowledge levels vary widely among different aspects of GDPR implementation.
Approximately 60 percent of survey respondents are in the dark about the sensitive and confidential content they hold within their data and how it’s used or treated. Conversely, knowledge levels surrounding data security are increasing with two-thirds of organizations reporting that they have internal breach notification procedures in place. More than half report having a response plan and team in place.
“The report shows that companies are not where they need to be in terms of compliance efforts. GDPR merely exacerbates how much oversight is needed to enforce changes down to the individual level,” said AvePoint Chief Risk, Privacy and Information Security Officer Dana Simberkoff. “The long road ahead is quickly becoming a short path as we approach the May 25, 2018 date. This assessment magnifies areas that need major improvement. Knowing where you are on the GDPR readiness scale is half the battle.”
Comprehensive Programs and Consent
Compared to the previous 2017 report, building and maintaining a comprehensive privacy compliance program remains one of the highest areas of impact on organizations on the road to GDPR compliance. More than half of respondents have committed additional budget to GDPR implementation, with increases ranging from hundreds of thousands of dollars to upwards of $50 million. Organizations report technology tools and software as the number one priority for GDPR focused budget spending.
Survey data shows that respondents still rely heavily on manual methods for building and maintaining inventories of their data processing. For example, 60 percent of organizations do not have any procedures in place to identify and tag data.
“GDPR implementation consists of multiple layers of complexity,” said Bojana Bellamy, President, Centre for Information Policy Leadership. “The survey reveals that while some progress has been made in preparation for 25 May 2018, there is more work to be done by organisations that will have to step up their implementation efforts across many key change areas. Reviewing data management strategies, building new comprehensive compliance programs, and putting in place new systems, processes and procedures to facilitate the changes are crucial to successful GDPR implementation.”
Other Key Findings
- More than a third of organizations have no framework or procedures in place to identify and classify risk to different individuals; an equal number of organisations are working on developing such a framework.
- Approximately 32 percent of organizations have committed additional staff to their GDPR implementation efforts, an increase from under a quarter as noted in the previous report.
- Over half of survey respondents have operations in the U.S.
Learn more at the IAPP Global Privacy Summit
CIPL President, Bojana Bellamy, AvePoint’s Chief Risk, Privacy and Information Security Officer Dana Simberkoff, and Vice President of Product Strategy John Hodges will be available during the International Association of Privacy Professionals (IAPP) Global Privacy Summit held at the Walter E. Washington Convention Center in Washington, D.C., March 27-28.
Join Simberkoff and Hodges for the session, “Metadata is a Love Note to the Future (And Will Help You Comply With GDPR!)” on Tuesday, March 27, 4:15-5:30 p.m. ET.
Additionally, join Bellamy for the session, “Regulating for Results: Effective Use of Both Carrot and Stick” on Wednesday, March 28, 8:00-9:00 a.m. ET.
To access the full report, visit the AvePoint website. To gauge GDPR compliance progress, visit the AvePoint Privacy Impact Assessment (APIA) System website.
About AvePoint
Securing the Future. AvePoint is a global leader in data security, governance, and resilience, and over 21,000 customers worldwide rely on our solutions to modernize the digital workplace across Microsoft, Google, Salesforce and other collaboration environments. AvePoint’s global channel partner program includes over 3,500 managed service providers, value added resellers and systems integrators, with our solutions available in more than 100 cloud marketplaces. To learn more, visit https://www.avepoint.com.
Centre for Information Policy Leadership (CIPL)
The Centre for Information Policy Leadership (CIPL) works with industry leaders, regulatory authorities and policymakers to develop global solutions and best practices for privacy and responsible use of data to enable the modern information age. CIPL was founded in 2001 by leading companies and Hunton & Williams LLP to develop innovative, pragmatic approaches to privacy and data security policy that consider the requirements of business processes and concerns surrounding information protection. More details about CIPL can be found at www.informationpolicycentre.com, and you can follow us on Twitter and LinkedIn.
Hunton & Williams LLP
Hunton & Williams is a global law firm of more than 725 lawyers serving clients in the United States, Europe, Latin America, and Asia. The firm handles transactional, litigation, and regulatory matters for a diverse client base, with significant experience in privacy and cybersecurity, retail and consumer products, energy, financial services, and real estate. Visit our website at hunton.com and our Privacy and Information Security Law Blog at huntonprivacyblog.com. Follow us on Twitter, LinkedIn, and YouTube.