Worldwide Climate Of Fear Over GDPR Data Compliance Claims Veritas Study

Europe is in flux, both politically and technologically. Leaving Brexit, French and British elections and the ever changing selection pack of Italian governments aside, there is plenty of flux in the IT space emanating from the lawmakers in the central European parliament.

European ruling, worldwide impact

Arguably the biggest single European IT issue is the forthcoming General Data Protection Regulation (GDPR). A new ruling which will have worldwide impact on firms including those in the USA who have interests, holdings, customers and other touch points on European soil.

According to mlaw group, ""The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover."

Information management company Veritas Technologies has a vested interest in GDPR. Clearly, with a portfolio of so-called 'resiliency platform' technologies, backup solutions and cloud-centric 'information discovery' products, Veritas has made much of its GDPR surveys of late as it attempts to highlight the severity of the risks about to come into play for international firms. Stopping short of out and out scaremongering, Veritas has conducted a 2017 study into how firms feel about the forthcoming ruling in an attempt to a) gauge the state of GDPR preparedness and b) validate and substantiate the use of its kind of of technology.

A sobering data reality?

The latest analysis from Veritas suggests that 86 percent of organizations worldwide are concerned that a failure to adhere to GDPR could have a major negative impact on their business. More sobering perhaps is the claim that nearly 20 percent said they fear that non-compliance could put them out of business.

NOTE: As noted in the quote above, potential fines for non-compliance as high as $21 million or four per cent of annual turnover – whichever is greater.

According to Veritas, "The GDPR requires greater oversight of where and how personal data (including credit card, banking and health information) is stored and transferred and how access to it is policed and audited by organizations. GDPR, which takes effect on May 25, 2018, will not only affect companies within the EU, but extend globally, impacting any company that offers goods or services to EU residents, or monitors their behavior, for example, by tracking their buying habits. Our study indicates that a whopping 47 percent of organizations globally have major doubts that they will meet this impending compliance deadline."

Sloppy data brand damage?

This study in particular has suggested that companies are also worried about the impact non-compliance could have on their brand image, especially if and when a compliance failure is made public, potentially as a result of the new obligations to notify data breaches to those affected. It is (arguably) true to say, we have yet to see the media pick up on non-compliance stories and have a field day over those firms who may have been lax in their preparation for GDPR.

The research suggests  that many companies appear to be facing serious challenges in understanding what data they have, where that data is located and its relevance to the business.

“There is just over a year to go before GDPR comes into force, yet the ‘out of sight, out of mind’ mentality still exists in organizations around the world. It doesn’t matter if you’re based in the EU or not, if your organization does business in the region, the regulation applies to you,” said Mike Palmer, executive vice president and chief product officer at Veritas. “A sensible next step would be to seek an advisory service that can check the level of readiness and build a strategy that ensures compliance. A failure to react now puts jobs, brand reputation and the livelihood of businesses in jeopardy.”

Study method

2017 across the US, the UK, France, Germany, Australia, Singapore, Japan and the Republic of Korea. The respondents were from organizations with at least 1,000 employees and could be from any sector. To qualify for the research, respondents had to be from organizations which do at least some business within the EU and therefore hold personal data on EU residents.

Time to take stock of the IT stack

What all this leads to is a world where firms are having to step back and examine the total scope and inventory of their 'IT stack' i.e. the total amount of hardware, software, connected cloud systems and mobile devices that have the ability to digitize customer information. This is why we hear firms like Vertias talk about so-called eDiscovery and the process of putting some kind of nomenclature and management control over the information pool across which they operate.

More than 40 percent (42%) of organizations in the Vertias study admitted that there is no mechanism in place to determine which data should be saved or deleted based on its value. Under GDPR, companies can retain personal data if it is still being used for the purpose that was notified to the individual concerned when the data was collected, but must delete personal data when it is no longer needed for that purpose.

It could well be time to get anal about data retention.