Recent research carried out by Trend Micro Inc. has revealed that many C-level executives across nearly 57% of SMEs are nowhere near prepared for GDPR implementation when it happens on 25 May 2018. In addition, almost half the businesses surveyed claimed not to know if their firm’s email marketing databases contain PII, and nearly a quarter said that they wouldn’t be bothered if they were found to be to be in violation of GDPR and fined as a consequence.
Although almost all business leaders are fully aware that they need to comply with the impending GDPR regulations and 85% have actually reviewed its requirements, less than half will be in full compliance by the deadline date. This apparent apathy is concerning and surprising, given the recent number of high-profile incidents concerning the loss of confidential client and company data that has been stolen or hacked into by cyber criminals and used for identity theft or corporate blackmail.
What’s the cost of not being compliant?
The survey found that around 66% of respondents were pretty dismissive of the amount of penalty they could receive if they don’t have the requisite security in place, which leads one to the conclusion that many are unaware of the size of the fine that could be levied.
In fact, businesses guilty of non-compliance could be fined up to 4% of their annual turnover. This, in addition to the damage that would be done to brand confidence and reputation could spell disaster for many guilty SMEs. The cost of investing in the appropriate data protection equipment and employing suitable DP policies should be viewed as sensible business practice, rather than an operational burden.
Who holds responsibility for GDPR in organisations?
One issue surrounding the implementation of GDPR is who owns responsibility within organisations for any breaches that occur. For example, many businesses are uncertain as to who is accountable for the loss of any EU data by a US service provider. The correct answer to this question is that both parties hold equal responsibility for the loss of data.
There is also a fair amount of confusion around who should own compliance with the regulations within the business. Almost one third of those surveyed thought that their CEO should lead GDPR compliance, whereas over a half thought that their IT department or senior members of their company security team should carry the can. Less than one quarter of respondents surveyed felt that that board level or management staff members should be involved, despite the fact that failure to comply could be have very serious consequences for the business.
Despite cyber-attacks on businesses being on the increase and becoming more and more sophisticated, many SMEs don’t have the layered data protection technology required to combat them. GDPR says that businesses must implement technology that is relative to the risks faced by the individual organisation. However, only one third have intruder identification tech in place, one third have invested in data leak prevention tech, and the same number have implemented encryption technology.
Organisations in the healthcare and financial services sectors seem to be particularly attractive targets for cybercriminals and hackers and it seems clear that these sorts of businesses should put in place the most robust protection available.
The research project carried out by Trend Micro Inc. has produced some alarming results, with many companies seemingly adopting a somewhat cavalier approach to GDPR. However, for those who fail to prepare for the drop dead date of 25 May 2018, the future of their business could look bleak, both financially and in terms of lost client confidence.