It might be time for a data governance and compliance audit. A new survey by ISACA finds that more than two out of three companies aren’t fully prepared to comply with the European Union’s new General Data Protection Regulation (GDPR), which creates new rules for how companies manage and protect the data of their customers and other affiliates. The regulation, which was adopted two years ago in April 2016, takes effect on Friday, but just 29 percent of the 6,000 companies surveyed around the globe said they are prepared to follow it.
Not only are most unprepared for the deadline, but only about half (52 percent) of the companies surveyed by ISACA in April expect to be compliant by the end of the year, and 31 percent do not know when they will be fully compliant. Interestingly, cost is not one of the top barriers to preparing to follow the new data regulations.
According to ISACA’s research, the top five challenges related to GDPR compliance are:
- Data discovery and mapping (59 percent)
- Prioritizing GDPR compliance among other business priorities (47 percent)
- Organizational education and change programs (45 percent)
- Ensuring cross-departmental collaboration and buy-in (42 percent)
- Preparation for data subject access or deletion requests (37 percent)
Cost was the seventh-highest concern, at 32 percent. About 27 percent say it will cost under $1 million to become GDPR compliant, with 15 percent spending $1 million or more. More than half of the business technology professionals surveyed were unsure how much their organizations would be spending.
Training and Awareness Needed
Among the survey’s most concerning findings is the level of employee education and training on GDPR and on their role in complying with it. Only 39 percent of respondents say their organizations’ employees have been educated to a satisfactory level about their responsibilities to maintain GDPR compliance.
“Employee awareness and education are critical components of ongoing GDPR compliance,” said Chris Dimitriadis, chair of ISACA’s GDPR Working Group. “Awareness of—and commitment to—well-defined security, data management, and privacy policies and procedures clearly need to be an integral part of every organization’s culture, from the top down.”
The good news is that the majority of executive leaders recognize the importance of GDPR and its implications. According to the ISACA data, nearly 7 in 10 respondents (69 percent) believe their organization’s executives have made achieving GDPR compliance a priority.
According to the survey, organizations also expect to achieve significant benefits from GDPR compliance. The top three anticipated positive outcomes are:
- Greater data security (60 percent)
- Improved business reputation (49 percent)
- Marrying data security best practices with corporate culture (43 percent)
“One of the most practical and cost-effective ways organizations can support GDPR and other compliance requirements is to help employees understand the business value of the information they deal with on a regular basis,” said Tim Upton, CEO at TITUS, which sponsored ISACA’s survey and research report. “That way, employees become more aware of their responsibilities when it comes to handling and protecting data within the flow of work, providing added value to the ways organizations earn and maintain the trust of customers and employees.”
Stiff Consequences
We will soon find out if major consequences will befall the many companies that are not prepared to deal with GDPR. Penalties for non-compliance can be quite severe. A fine up to €20 million ($23.5 million) or up to 4 percent of the annual worldwide revenues of the preceding financial year can be levied for violating certain provisions of the regulation.