Senior executives worldwide are not adequately prepared for the introduction of the EU’s General Data Protection Regulation (GDPR) in May, recent research indicates.
A survey from Trend Micro found that C-suite executives are not approaching the regulation with the seriousness required. Although 95% of business leaders report being aware of the need to comply with the regulation, 57% shun responsibility for complying with the regulation.
The results indicate that senior executives may be overconfident in their organisation’s ability to comply. While 79% of businesses are confident that their data is as secure as it can be, there is confusion over what constitutes the personally identifiable information that will need to be protected under GDPR.
Of those surveyed, 64% were unaware that a customer’s date of birth constitutes PII. In addition 42% wouldn’t classify email marketing databases as PII, 42% don’t consider physical addresses to be PII and 21% don’t see email addresses as PII.
Such data provides hackers with the information they need to commit identity theft, so companies not properly protecting this information are at risk of a fine under the GDPR.
Likewise, only 33% of respondents recognise that they face penalties under the regulation of up to 4% of their annual turnover, and a majority are unaware that their business could be shut down as a result of a breach.
Trend Micro ANZ Managing Director Indri Siriniwasa said the findings are consistent with research at Trend Micro’s CLOUDSEC Sydney conference in August, which found that while 56% of respondents agree that they will be impacted by the upcoming mandatory data breach notification scheme, 28% admit that they have no formal process for risk management and cloud security.
“It has never been more important for organisations to make cybersecurity a key priority, and protect the interests of their customers against cybersecurity attacks,” he said.
“Not only is this a security and prevention issue, but it can also have a disastrous impact on both brand and reputation.”
Separate research from security professional industry body ISACA also found that fewer than a third of senior executives and boards of directors are satisfied with their organisation’s progress preparing for the GDPR, and 35% are not even aware of their progress.
ISACA is urging organisations to gain executive-level support for GDPR compliance initiatives, appoint a data privacy officer and develop and rehearse incident response plans.
“GDPR is more aggressive than previous privacy requirements, with tougher consequences for violation. It also doesn’t define what ‘reasonable’ means in terms of the required level of personal data protection, which gives the GDPR governing body wide latitude when it comes to assessing fines for noncompliance,” commented Mark Thomas, author of ISACA’s GDPR paper.
“Companies equipped with a solid governance structure have already won half the battle. For those without, this is an important driver for adopting one.”
Image credit: ©stock.adobe.com/au/alphaspirit