HyTrust announced today results from a survey of security professionals revealing that only 14 percent of organizations believe that they are fully ready to meet the requirements of the General Data Protection Regulation (GDPR), which takes effect May 25. Forty percent of respondents reported varying degrees of not being prepared, and a surprising 26 percent said they were unsure whether they were prepared. The European Union law governing data protection and privacy for EU citizens carries hefty penalties of up to 4 percent of an organization’s worldwide revenue for non-compliance with the requirements. The survey was conducted mid-April during the RSA Conference 2018 held in San Francisco.
“The spirit of GDPR is to “do the right thing” to protect private information,” said John De Santis, chairman and CEO, HyTrust. While the potential fines are headline grabbing, the intent of the regulation is not to impose fines. HyTrust encourages organizations to quickly get to the desired “right” end state of implementing and automating sound security controls and encryption now, rather than spend a lot of time and money scaring management into funding studies. Good security practitioners turn to HyTrust to do right through automation, which is the most efficient and cost effective way possible.”
Other findings included the following:
- 73% of respondents reported being surprised by the extent of the changes their organizations must undergo to meet the GDPR requirements. (Of those, 21 % were surprised by the amount of new technology needed to make those changes.)
- 25% admitted that the cost for required changes was greater than expected.
- 15% were surprised by the amount of new hiring necessary to achieve compliance.
- 26% were surprised over the extensiveness of necessary changes to security and IT policies.
- 40% indicated that no changes were required to their current data encryption policies, but 60% said that some level of change was necessary.
- Of those requiring change, 17 % said that they encrypt data in places where they had not done so previously.
- 23% have changed their encryption-key policies to meet GDPR requirements. (Encryption-key policies are valuable to segment data access and control its lifecycle, including proper retirement and secure disposal.)
- 19% of organizations claimed that they now segment their data and encrypt based on data type and usage. (Data segmentation is an important step to protect Personally Identifying Information (PII) and meeting regulatory requirements.)
GDPR is a set of regulations designed to protect the privacy of all EU citizens while making privacy laws consistent across Europe. Under the law, “personal data” can include names, photos, email addresses, bank details, posts on social media, medical information, a computer’s IP address and more. The regulation applies to those who handle this data as well as organizations that process it. In addition to steep fines for non-compliance, GDPR comprises tiers of lesser fines to address issues such as not having records in order, not notifying the supervising authority and data subject about a breach, or not conducting impact assessments.
- Infographic: Are you ready for GDPR?
- White Paper: The European Union General Data Protection Regulation, HyTrust Product Applicability –
- Press Release: GDPR Compliance and Fines May Affect Almost 80% of Organizations Surveyed –