FINAL WORD
for their organisation to identify and
report a personal data breach within 72
hours of awareness; a mandatory GDPR
requirement where there is a risk to data
subjects. Any organisation that is unable
to report the loss or theft of personal data
– such as medical records, email addresses
and passwords – to the supervisory body
within this time frame is breaking with this
key requirement.
The findings in this report suggest that
organisations that think they are already
compliant with GDPR should revisit their
compliance strategies. Failure to meet GDPR
requirements could attract a fine of up to 4
per cent of global annual turnover, or €20
million, whichever is greater.
The former employee threat
Restricting former employee access to
corporate data and deleting their systems
credentials helps to stem malicious
activity and ensure that financial loss
and reputational damage are avoided.
Yet, a staggering 50 per cent of so-called
compliant organisations said that former
employees are still able to access internal
data. These findings highlight that even
the most confident organisations struggle
to control former employee access and are
potentially susceptible to attacks.
Challenges exercising ‘the right to
be forgotten’
Under GDPR, EU residents will have
the right to request the removal of their
personal data from an organisation’s
databases. However, Veritas’ research
shows many organisations that stated they
already are in compliance will not be able to
search, find and erase personal data if the
‘right to be forgotten’ principle is exercised.
Of the organisations that believe they
are GDPR-ready, one-fifth (18 per cent)
admitted that personal data cannot be
purged or modified. A further 13 per
cent conceded that they do not have the
capability to search and analyse personal
data to uncover explicit and implicit
references to an individual. They are also
unable to accurately visualise where their
data is stored, because their data sources
and repositories are not clearly defined.
Any
organisation
that is unable
to report the
loss or theft of
personal data –
such as medical
records, email
addresses and
passwords – to
the supervisory
body within
this time frame
is breaking
with this key
requirement.
These shortcomings would render a
company non-compliant under GDPR.
Organisations must ensure that personal
data is only used for the reasons it was
collected and is deleted when it’s no
longer needed.
Demystifying GDPR
responsibility
Veritas’ research also found that there
is a common misunderstanding among
organisations regarding the responsibility
of data held in cloud environments.
Almost half (49 per cent) of the
companies that believe they comply with
GDPR consider it the sole responsibility of
the cloud service provider (CSP) to ensure
data compliance in the cloud. In fact, the
responsibility lies with the data controller
(the organisation) to ensure that the data
processor (the CSP) provides sufficient
GDPR guarantees. This perceived false
sense of protection could lead to serious
repercussions once GDPR is enacted.
Data is one of the most valuable
assets of any organisation. With the
enormous growth in the type and volume
of data held within an organisation,
the challenge of data management is
growing significantly. The fundamental
requirement of good data governance is
visibility and classification, but to comply
with GDPR, organisations must be able to
locate, search and minimise the amount of
personal data held, as well as protect and
actively monitor this data. GDPR certainly
creates a potential new risk for Middle
East organisations but also an opportunity
to develop good data governance and
management practices; the starting point
should be a comprehensive data audit to
help mitigate this risk before GDPR comes
into effect.
GDPR is intended to harmonise data
privacy and protection mandates across
European Union (EU) member states.
It requires organisations to implement
the appropriate protection measures and
processes to effectively govern personal
data. GDPR will take effect on 25 May
2018 and will apply to any organisation
– inside or outside the EU – that offers
goods or services to EU residents, or
monitors their behaviour.
Methodology
Veritas commissioned independent
technology market research specialist
Vanson Bourne to undertake the research
upon which this report is based.
A total of 900 business decision-
makers were interviewed in February
and March across the US, the UK,
France, Germany, Australia, Singapore,
Japan and the Republic of Korea. The
respondents were from organisations
with at least 1,000 employees and could
be from any sector. To qualify for the
research, respondents had to be from
organisations that do at least some
business with the EU.
Interviews were conducted online using
a rigorous multi-level screening process to
ensure that only suitable candidates had
the opportunity to participate.
65