As many as 68 percent of businesses are not ready to comply with the requirements of the EU General Data Protection Regulation (GDPR), according to a study commissioned by Compuware and carried out by Vanson Bourne.
The study asked 400 CIOs working in France, Germany, Italy, Spain, the UK and the US about their data management practices and found that 30 percent couldn’t guarantee they could find their customer data when requested, and 43 percent failed to anonymize customer data when using it for testing – something that goes against provisions of GDPR.
The report notes that despite the UK’s vote to leave the EU, British organizations will likely have to comply with GDPR if they want to do business with the remaining member states. Businesses from the US that operate in the Europe will also have to comply.
Time is running out
GDPR aims to harmonize approach to personal data across 28 European states and replace the outdated EU directive ‘on the protection of individuals with regard to the processing of personal data and on the free movement of such data’ which was approved in 1995.
It gives more power to the users of online services, proposes stronger safeguards for EU citizens’ data that gets transferred abroad, and considerably increases the fines that can be imposed on companies that break the rules – up to four percent of their global annual turnover.
The legal framework also includes requirements for the ‘Right to be Forgotten’ – the right of customers to have their data deleted on request. GDPR is set to come into force in May 2018, but is likely to catch thousands of businesses off-guard.
According to Compuware, just 52 percent of organizations are currently in a position to comply with the Right to be Forgotten. 68 percent of CIOs admitted they don’t always know where customer data is, and only half can locate it quickly.
“If they don’t have a firm handle on where every copy of customer data resides across all their systems, businesses could lose countless man-hours conducting manual searches for the data of those exercising their ‘Right to be Forgotten.’ Even then, they may not identify every copy, leaving them at risk of non-compliance,” warned Elizabeth Maxwell, technical director for EMEA at Compuware.
Researchers also found that 86 percent of businesses used live customer data to test applications, but just 20 percent asked for explicit consent mandated by GDPR. A total of 43 percent used customer data without applying any anonymization techniques. The report noted that IT trends like agile development and proliferation of outsourcing were making compliance increasingly difficult.
“Using customer data to test applications is fairly standard practice, but there’s no need or excuse for not depersonalizing it first,” Maxwell said. “Companies that fail to mask data before using it to test applications could soon find themselves slapped with an eye-watering fine from EU regulators.”
GDPR applies to both businesses from the EU and foreign companies that want to trade in the European free market. But despite the fact that 52 percent of US businesses hold European customer data, just 43 percent of US respondents claimed to be well-briefed on the GDPR and its impact.