Veritas Study: Organizations
Worldwide Mistakenly Believe They Are GDPR Compliant
Worldwide Mistakenly Believe They Are GDPR Compliant
Only two percent of “GDPR-ready” organizations are compliant
Singapore, July
25, 2017 – A study from Veritas
Technologies, a leader in multi-cloud data
management, has found that organizations across the globe mistakenly believe
they are in compliance with the upcoming General
Data Protection Regulation (GDPR).
25, 2017 – A study from Veritas
Technologies, a leader in multi-cloud data
management, has found that organizations across the globe mistakenly believe
they are in compliance with the upcoming General
Data Protection Regulation (GDPR).
According to findings
from The Veritas 2017
GDPR Report, almost
one-third (31 percent) of respondents said that their enterprise already
conforms to the legislation’s key requirements. However, when those same
respondents were asked about specific GDPR provisions, most provided answers
that show they are unlikely to be in compliance. In fact, upon closer
inspection, only two percent actually appear to be in compliance, revealing a
distinct misunderstanding over regulation readiness.
from The Veritas 2017
GDPR Report, almost
one-third (31 percent) of respondents said that their enterprise already
conforms to the legislation’s key requirements. However, when those same
respondents were asked about specific GDPR provisions, most provided answers
that show they are unlikely to be in compliance. In fact, upon closer
inspection, only two percent actually appear to be in compliance, revealing a
distinct misunderstanding over regulation readiness.
The findings from the report
show that almost half (48 percent) of organizations who stated they are
compliant do not have full visibility over personal data loss incidents.
Moreover, 61 percent of the same group admitted that it is difficult for their
organization to identify and report a personal data breach within 72 hours of
awareness – a mandatory GDPR requirement where there is a risk to data
subjects. Any organization that is unable to report the loss or theft of
personal data – such as medical records, email addresses and passwords – to the
supervisory body within this timeframe is breaking with this key requirement.
show that almost half (48 percent) of organizations who stated they are
compliant do not have full visibility over personal data loss incidents.
Moreover, 61 percent of the same group admitted that it is difficult for their
organization to identify and report a personal data breach within 72 hours of
awareness – a mandatory GDPR requirement where there is a risk to data
subjects. Any organization that is unable to report the loss or theft of
personal data – such as medical records, email addresses and passwords – to the
supervisory body within this timeframe is breaking with this key requirement.
The findings in this report
suggest that organisations that think they are already compliant with the GDPR
should revisit their compliance strategies. Failure to meet GDPR requirements
could attract a fine of up to four percent of global annual turnover or €20
million, whichever is greater.
suggest that organisations that think they are already compliant with the GDPR
should revisit their compliance strategies. Failure to meet GDPR requirements
could attract a fine of up to four percent of global annual turnover or €20
million, whichever is greater.
The
former employee threat
former employee threat
Restricting
former employee access to corporate data and deleting their systems credentials
helps to stem malicious activity and ensure that financial loss and
reputational damage are avoided. Yet, a staggering 50 percent of so-called
compliant organizations said that former employees are still able to access
internal data. These findings highlight that even the most confident
organizations struggle to control former employee access and are potentially
susceptible to attacks.
former employee access to corporate data and deleting their systems credentials
helps to stem malicious activity and ensure that financial loss and
reputational damage are avoided. Yet, a staggering 50 percent of so-called
compliant organizations said that former employees are still able to access
internal data. These findings highlight that even the most confident
organizations struggle to control former employee access and are potentially
susceptible to attacks.
Challenges
exercising “the right to be forgotten”
exercising “the right to be forgotten”
Under
the GDPR, EU residents will have the right to request the removal of their
personal data from an organization’s databases. However, Veritas’ research
shows many organizations that stated they already are in compliance will not be
able to search, find and erase personal data if the “right to be forgotten”
principle is exercised.
the GDPR, EU residents will have the right to request the removal of their
personal data from an organization’s databases. However, Veritas’ research
shows many organizations that stated they already are in compliance will not be
able to search, find and erase personal data if the “right to be forgotten”
principle is exercised.
Of
the organizations that believe they are GDPR-ready, one-fifth (18 percent)
admitted that personal data cannot be purged or modified. A further 13 percent
conceded that they do not have the capability to search and analyze personal
data to uncover explicit and implicit references to an individual. They are
also unable to accurately visualize where their data is stored, because their
data sources and repositories are not clearly defined.
the organizations that believe they are GDPR-ready, one-fifth (18 percent)
admitted that personal data cannot be purged or modified. A further 13 percent
conceded that they do not have the capability to search and analyze personal
data to uncover explicit and implicit references to an individual. They are
also unable to accurately visualize where their data is stored, because their
data sources and repositories are not clearly defined.
These
shortcomings would render a company non-compliant under the GDPR. Organizations
must ensure that personal data is only used for the reasons it was collected
and is deleted when it’s no longer needed.
shortcomings would render a company non-compliant under the GDPR. Organizations
must ensure that personal data is only used for the reasons it was collected
and is deleted when it’s no longer needed.
Demystifying
GDPR responsibility
GDPR responsibility
Veritas’
research also found that there is a common misunderstanding among organizations
regarding the responsibility of data held in cloud environments. Almost half
(49 percent) of the companies that believe they comply with the GDPR consider
it the sole responsibility of the cloud service provider (CSP) to ensure data
compliance in the cloud. In fact, the responsibility lies with the data
controller (the organization) to ensure that the data processor (the CSP)
provides sufficient GDPR guarantees. This perceived false sense of protection
could lead to serious repercussions once the GDPR is enacted.
research also found that there is a common misunderstanding among organizations
regarding the responsibility of data held in cloud environments. Almost half
(49 percent) of the companies that believe they comply with the GDPR consider
it the sole responsibility of the cloud service provider (CSP) to ensure data
compliance in the cloud. In fact, the responsibility lies with the data
controller (the organization) to ensure that the data processor (the CSP)
provides sufficient GDPR guarantees. This perceived false sense of protection
could lead to serious repercussions once the GDPR is enacted.
“The GDPR dictates that multi-national
corporations take data management seriously. However, the latest findings show
confusion over what’s needed to comply with the regulation’s mandatory
provisions. With the implementation date looming ever closer, these
misconceptions need to be eradicated fast” said Mike Palmer, executive vice
president and chief product officer, Veritas.
corporations take data management seriously. However, the latest findings show
confusion over what’s needed to comply with the regulation’s mandatory
provisions. With the implementation date looming ever closer, these
misconceptions need to be eradicated fast” said Mike Palmer, executive vice
president and chief product officer, Veritas.
“With regulations like the GDPR you have to
understand what data you have in your organization. But you must also know how
to take action on it and how to classify it so that policy can be applied
accordingly. These are the fundamentals of compliance and the findings today
should be used to educate businesses about the mistaken beliefs that could put
an organization out of business.”
understand what data you have in your organization. But you must also know how
to take action on it and how to classify it so that policy can be applied
accordingly. These are the fundamentals of compliance and the findings today
should be used to educate businesses about the mistaken beliefs that could put
an organization out of business.”
The GDPR is intended to
harmonize data privacy and protection mandates across European Union (EU)
member states. It requires organizations to implement the appropriate
protection measures and processes to effectively govern personal data. The GDPR
will take effect on May 25, 2018 and will apply to any organization –
inside or outside the EU – that offers goods or services to EU residents, or
monitors their behavior.
harmonize data privacy and protection mandates across European Union (EU)
member states. It requires organizations to implement the appropriate
protection measures and processes to effectively govern personal data. The GDPR
will take effect on May 25, 2018 and will apply to any organization –
inside or outside the EU – that offers goods or services to EU residents, or
monitors their behavior.
In
addition to this research, Veritas will announce today, Veritas Data Insight
6.0, Veritas Enterprise Vault 12.2 and the Integrated Classification Engine, a
new technology that delivers powerful intelligence into data risks on-premises
and in the cloud. The classification engine provides broad visibility
into personal data and helps companies meet compliance regulations, like GDPR.
The Integrated Classification Engine is available now in Veritas Data Insight
6.0, and will be available with Veritas Enterprise Vault 12.2 in August. Future
integrations are planned across the Veritas data protection, storage and
governance portfolio.Click
here to view the press release.
addition to this research, Veritas will announce today, Veritas Data Insight
6.0, Veritas Enterprise Vault 12.2 and the Integrated Classification Engine, a
new technology that delivers powerful intelligence into data risks on-premises
and in the cloud. The classification engine provides broad visibility
into personal data and helps companies meet compliance regulations, like GDPR.
The Integrated Classification Engine is available now in Veritas Data Insight
6.0, and will be available with Veritas Enterprise Vault 12.2 in August. Future
integrations are planned across the Veritas data protection, storage and
governance portfolio.Click
here to view the press release.
For
information on how Veritas Technologies can help your organisation become GDPR
compliant visit https://www.veritas.com/gdpr.
information on how Veritas Technologies can help your organisation become GDPR
compliant visit https://www.veritas.com/gdpr.
Methodology
Veritas commissioned independent technology
market research specialist Vanson Bourne to undertake the research upon which
this report is based.
market research specialist Vanson Bourne to undertake the research upon which
this report is based.
A total of 900 business decision makers were
interviewed in February and March across the US, the UK, France, Germany,
Australia, Singapore, Japan and the Republic of Korea. The respondents were
from organizations with at least 1,000 employees, and could be from any sector.
To qualify for the research, respondents had to be from organizations that do
at least some business with the EU.
interviewed in February and March across the US, the UK, France, Germany,
Australia, Singapore, Japan and the Republic of Korea. The respondents were
from organizations with at least 1,000 employees, and could be from any sector.
To qualify for the research, respondents had to be from organizations that do
at least some business with the EU.
Interviews were conducted online using a
rigorous multi-level screening process to ensure that only suitable candidates
had the opportunity to participate.
rigorous multi-level screening process to ensure that only suitable candidates
had the opportunity to participate.
About Veritas Technologies
Veritas Technologies empowers businesses of all
sizes to discover the truth in information—their most important digital asset.
Using the Veritas platform, customers can accelerate their digital
transformation and solve pressing IT and business challenges including
multi-cloud data management, data protection, storage optimization, compliance
readiness and workload portability—with no cloud vendor lock-in. Eighty-six
percent of Fortune 500 companies rely on Veritas today to reveal data insights
that drive competitive advantage. Learn more at www.veritas.com or follow us on Twitter at @veritastechllc.
sizes to discover the truth in information—their most important digital asset.
Using the Veritas platform, customers can accelerate their digital
transformation and solve pressing IT and business challenges including
multi-cloud data management, data protection, storage optimization, compliance
readiness and workload portability—with no cloud vendor lock-in. Eighty-six
percent of Fortune 500 companies rely on Veritas today to reveal data insights
that drive competitive advantage. Learn more at www.veritas.com or follow us on Twitter at @veritastechllc.
Forward-looking Statements: Any forward-looking indication of plans
for products is preliminary and all future release dates are tentative and are
subject to change at the sole discretion of Veritas. Any future release
of the product or planned modifications to product capability, functionality,
or feature are subject to ongoing evaluation by Veritas, may or may not be
implemented, should not be considered firm commitments by Veritas, should
not be relied upon in making purchasing decisions, and may not be incorporated
into any contract.
for products is preliminary and all future release dates are tentative and are
subject to change at the sole discretion of Veritas. Any future release
of the product or planned modifications to product capability, functionality,
or feature are subject to ongoing evaluation by Veritas, may or may not be
implemented, should not be considered firm commitments by Veritas, should
not be relied upon in making purchasing decisions, and may not be incorporated
into any contract.
Veritas, the Veritas Logo, NetBackup, Backup
Exec and Enterprise Vault are trademarks or registered trademarks of Veritas
Technologies LLC or its affiliates in the U.S. and other countries. Other names
may be trademarks of their respective owners.
Exec and Enterprise Vault are trademarks or registered trademarks of Veritas
Technologies LLC or its affiliates in the U.S. and other countries. Other names
may be trademarks of their respective owners.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!