As new EU data protection rules loom over the horizon, a survey reveals how much IT executives do or do not know about what this new regime means for their business.
A survey of IT executives in 11 nations shows that fewer than half of them think sweeping new data protection rules which take effect next year are relevant to their businesses while a fifth of the 1,350 persons polled admit they don't know which regulations apply to them.
The survey was published in the NTT Security Risk:Value report. The General Data Protection Regulation, or GDPR, comes into force on 25 May, a few months after the financial services industry has to deal with the European Union's MiFID II rules on price transparency and investor protection. The strict new regulations of GDPR, designed to enhance privacy and security, could see miscreants fined by up to €20 million ($22.8 milliion) or 4 per cent of global annual turnover, whichever is higher.
The report said 40 per cent of respondents globally said their organisation will be subject to EU GDPR. However, a mere 19 per cent said they do not know what compliance regulations they are subject to under GDPR.
In the UK, just 39 per cent of respondents currently identify GDPR as a compliance issue, and 20 per cent admit they don’t know at all, but the report stated Europe had worse statistics. Just a quarter of business decision makers in the US, 26 per cent in Australia, and 29 per cent in Hong Kong believe they are subject to GDPR, despite the fact it will apply to any business holding or collecting data on European citizens.
The arrival of such rules also raises questions on whether some of the requirements from one set of regulations (GDPR) could be in conflict with other new rules (MiFID II), leading to confusion and legal test cases down the line. Some industry figures have told this publication that such fears are misplaced if GDPR's implications are fully understood. For more on that, see this article here.
With data management and storage a key component of the GDPR, the report also revealed that a third of respondents do not know where their organisation’s data is stored, while just 47 per cent say all of their critical data is securely stored. Of those who know where their data is, fewer than half (45 per cent) described themselves as “definitely aware” of how new regulations will affect their institution’s data storage. Those in the financial services, banking, computer services and technology sectors were found as the most likely to know where their data is stored and which compliance regulations they are subject to.
"In an uncertain world, there is one thing organisations can be sure of and that's the need to mark the date of 25 May 2018 in their calendars," according to Garry Sidaway, SVP security strategy & slliances at NTT Security. "While the GDPR is a European data protection initiative, the impact will be felt right across the world for anyone who collects or retains personally identifiable data from any individual in Europe. Our report clearly indicates that a significant number do not yet have it on their radar or are ignoring it. Unfortunately many organisations see compliance as a costly exercise that delivers little or no value, however, without it, they could find themselves losing business as a result, or paying large regulatory fines."
The financial impact on the firm from GDPR, with its data security, may be costly but the report found that better data security is necessary for a firm to flourish.
Around one in eight respondents believe that poor information security is the “single greatest risk” to the business. Also, 57 per cent of decision makers believe a data breach is inevitable at some point. Loss of customer confidence (55 per cent) was seen as the biggest long-term damage to one’s company after a data breach, next was damage to reputation (51 per cent) and financial loss (43 per cent). The cost of recovery has increased, according to NTT Security, from $907,000 in 2015 to $1.35 million in 2017.