Organisations across the globe are unaware that the EU General Data Protection Regulation (GDPR) affects them, according to a report by NTT Security.
Risk:Value 2017 found that, even in Europe, barely half of surveyed organisations knew that the Regulation applied to them. Respondents in Switzerland were the most aware (58%), followed by Germany and Austria (53% each). Respondents in the UK had the lowest level of awareness (39%), presumably because of the misconception that Brexit will spare them from the GDPR.
Reputations are on the line
Data protection has become a serious issue in recent years, with data breaches becoming more common and met with greater media attention and public scrutiny.
Most organisations that suffer breaches already have a hard time defending their security vulnerabilities, and they’ll have an even harder time once the GDPR takes effect. The Regulation instructs organisations on what they need to do to mitigate the risk of a breach, and failing to meet its requirements shows poor security planning and, perhaps more importantly, a disregard for data subjects’ legal rights.
Once it becomes public knowledge that an organisation isn’t complying with the GDPR, there will be a huge risk of a backlash. People will have every right to request the removal of their data from the organisation’s systems, and there will almost certainly be a drop-off in new customers. That alone, regardless of the associated fines, could have a devastating effect.
This is a problem organisations are well aware of, with 51% of respondents to the report saying that their biggest concern following a data breach is reputational damage. However, the most damaging thing an organisation can do to its reputation is to ignore its obligation to comply with the GDPR.
Ignorance is no defence
According to Simon Williams, CEO of NTT Data, too many senior staff are oblivious of the GDPR. Speaking to Infosecurity Magazine, he said:
“I was sitting with the COO of a UK insurance company recently and he said ‘I’ve been doing some internet research on what is GDPR and what I need to do in my organization, is that something you can help us with’ and there was a stunned silence in the room as we said yes, but we too[k] them on the journey to help them understand the potential impact to the organization. So there are a lot of people leaving it very late.”
Ignorance of the law is obviously no defence, so senior staff and anyone involved in data protection need to educate themselves on the GDPR and what needs to be done before the compliance deadline.
For a clear, concise introduction to the Regulation, you should read EU GDPR – A Pocket Guide. Written by Alan Calder, the founder and executive chairman of IT Governance, this guide explains everything you need to know about the GDPR, including the terms and definitions used in the Regulation, what it means for your organisation and how you can become compliant.