Unless you have been living under a rock for the past couple of years, you will no doubt be aware of the new General Data Protection Regulation (GDPR), coming into force in May.
A Commvault survey of 177 global IT personnel conducted in October 2017 reveals there is still a significant disconnect between business and IT leadership on GDPR, with the business thinking there is a ‘magic switch' to flick, and IT still believing it to be a business process issue.
Despite the fact that the changes GDPR will bring are widely known, according to the findings of its survey, the majority of IT organisations around the world are failing to make even fundamental GDPR preparations, and only 11 percent of global organisations understand what constitutes personal data within their business.
Considering that being able to clearly identify what personal data is stored, accessed, and used is an essential pre-requisite, before even attempting to become compliant, this is worrying. As a result, it is unsurprising that only 12 percent feel they are ready for the implementation of the legislation. With this in mind, understanding your current position is critical, so that efforts can be focused on fixing the most pressing GDPR gaps in your organisation.
The ‘Right to be forgotten'
One of the key talking points of the GDPR is article 17 – ‘The right to be forgotten'. This will give citizens the ability to contact any business or organisation within the EU and ask for their data to be deleted. However, if you put yourself in the shoes of a large organisation, or even a small business, that receives this type of request, just how easy is it to actually carry out?
Only 16 percent of organisations polled said they were confident that they could immediately find data related to specific individuals; 36 percent indicated that it would take hours to collect this data; 25 percent said it would take days; 18 percent said it would take weeks, and five percent actually admitted that there was no way they could find this data, rendering both GDPR compliance and ‘The right to be forgotten', entirely ineffective.
In fact, the survey also revealed that in regards to the specific management of personal information, only 18 percent of organisations had the capability to delete data on request from all data stores – a process that could be immediately required of any organisation operating with EU markets as of May 26. Only nine percent believed they could effectively anonymise their data when required, and fewer still (eight percent), believed that they would be able to collate and export data from their organisation to a third party at the request of individuals.
Not able to comply? Or not sure how to?
It is easy to understand how businesses might struggle to change processes that are deeply rooted within the organisation, such as data collection and storage. However, the research also revealed there was a general lack of understanding amongst IT professionals regarding exactly what they needed to change in everyday processes to achieve regulatory compliance.
Given these challenges, 89 percent of organisations and IT personnel admit to still being confused by key elements of the regulation, revealing considerable gaps between current knowledge, and the fundamental implementations required to establish a data management strategy to enable GDPR compliance. Other key findings included:
· Only 21 percent of organisations feel they have a good understanding of what GDPR means in practice
- Only 18 percent of organisations said they understood what data their company has and where it lives
- Only 17 percent of organisations understood the potential impact of GDPR on the overall business
- Only 12 percent of organisations understood how GDPR would affect cloud services
Given these findings it is highly likely that we will see several high profile organisations hitting the headlines for contravening GDPR soon after it comes into effect in May, mainly due to a lack of understanding of the data they hold and its relationship to GDPR.
While GDPR may present a challenge, realigning IT processes around personal data can help with digital transformation and the modernisation of entrenched, out-of-date processes. Ultimately, aligning GDPR programmes with IT modernisation can actually deliver savings, operational benefits and boost productivity beyond the risk-reduction goal of ‘just being compliant'.
Organisations should view GDPR as a catalyst for positive business transformation, rather than a herald of the apocalypse, despite the popular weight of opinion in the media and I for one am looking forward with positivity to May 25.
Contributed by Nigel Tozer, solutions marketing director at Commvault.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.