Companies do not Always Comply with the GDPR

General Data Protection Regulation (EU GDPR)

General Data Protection Regulation (EU GDPR)

Not all companies have yet completed their compliance with the European Regulation on Private Data, although many have made significant efforts within their organisation, in some cases involving IT and legal expertise. While businesses spend tens of millions to comply with regulations, more than 90% of them have fundamental IT weaknesses that make them vulnerable and potentially non-compliant, according to a recent Tanium study of IT decision makers.

These capital sums can rise to nearly $70 million on average for multinationals over the past 12 months to ensure their compliance with the various data protection regulations. In addition, a majority of companies hired new talent (81%), invested in training (85%) and introduced new software or services (82%) to ensure continued compliance, the report notes.

Despite these massive investments, many businesses still feel poorly prepared to deal with the changing regulatory landscape. More than a third of the respondents (37%) say that lack of visibility and control on workstations and servers is the main obstacle.

Vulnerability to cyber attacks

This lack of visibility leaves companies «vulnerable to cyber attacks and exposing themselves to data leaks» continues Tanium. In addition, the main reasons given for this lack of visibility relate to the lack of collaboration between security and production teams (35%), the lack of means to manage the IT fleet (33%) or the use of too many solutions in the company (32%).

This lack of control of the computer park can also be exacerbated by the breakdown of home work organisation and the use of personal devices. Hervé Szafir, Director of Cybersecurity at Opentext, said in this capacity, “In many cases, telework was implemented in a hurry and without proper planning, without the right security tools for systems and networks in place.” In this context, “remote work policies were not clearly defined or updated, including procedures for reporting potential data breaches or losses,” he says.

Also, companies must adapt to these new circumstances to ensure a level of security that takes into account the new risks presented by data processing activities in order to be able, despite the crisis, calmly face the third year of GDPR compliance» says Hervé Szafir.

Awareness

But according to a survey conducted by Data Legal Drive, the Covid-19 crisis has also served, to some extent, as a catalyst for companies in their GDPR compliance work. Nearly 40% of the Dpos and lawyers interviewed said that they used confinement to “deal with the substantive issues of their company’s GDPR compliance, and in particular, for nearly half of the respondents, updating the famous treatment registry.” evokes the study.

In the first days of the health crisis, some people may have thought that the GDPR compliance would be relegated to the Greek calendar. In fact, of course, the opposite has happened. The implementation of confinement has massively enabled companies to become fully aware of the path to be taken: massive telework implies a (re)advanced HR organization, with issues of social and privacy law, and a (re)Upgrading data security processes,” said Sylvain Staub, CEO of Data Legal Drive.

One third of respondents agree that teleworking has helped to strengthen business security. However, if a third of the respondents stated that they did not need to modify the security processes already at the level, the last third did not take any action, although there might be a need for a security review, the study notes.

In addition, 30% of the companies surveyed said that they offered GDPR training to their employees during confinement. However, a third did not take advantage of it, believing that it was not the priority of the moment, while nearly 40% nevertheless think they have the means to conduct training in the coming weeks.

Finally, while only one in three websites would be 100% compliant with the GDPR, some companies took advantage of the confinement to advance on the compliance of websites. In the end, “containment would have - salutarily - allowed more than half of the DPO respondents and those responsible for this treatment to focus again on this essential site that is a showcase for any company” summarizes the investigation.