The dangerous GDPR compliance disconnect: between perception and reality

When it boils down to GDPR readiness there is clearly a GDPR compliance disconnect: a gap between the degree in which executives think they are GDPR compliant (and will be by May 2018) and the actual degree in which they are (and are preparing).

Only 49% of businesses know and have documented the personal EU data that they process. And despite having two years to prepare, only 40% of those surveyed have completed a GDPR readiness assessment (Proofpoint, December 5, 2017)

This GDPR compliance disconnect exists on all (strategic) levels: from the crucial stage of awareness of employees and a good understanding of GDPR personal data and identifiers stipulations to the inventorizing of personal data, gap analysis, drafting of a plan and executing it in a staged and prioritized way, always with the need to consider risk from the perspective of the data subject when prioritizing.

It’s true that GDPR compliance in reality is never completely possible as explained in our article on GDPR compliance as a strategic business matter. There will always be lose ends and there is no such thing as a riskless environment in security, data protection and so forth.

However, what the regulator wants to see is that you’ve taken the necessary steps to get as close to being compliant and, at the very least, have a plan and clear strategy to do so and to avoid personal data breaches (see Article 4 of Chapter 1 of the GDPR for definitions of personal data, personal data breaches amd more) with several steps already taken in that properly prioritized way.

GDPR compliance disconnect - GDPR readiness perceptions versus facts

Data governance strategies lack in companies who believe they will be GDPR compliant

The gap in perception between GDPR readiness and effective GDPR readiness is of course not without danger. As said in the previously mentioned article GDPR is a business challenge and requires a business mandate and the involvement of several parties, including obviously IT executives.

If IT executives don’t have the full picture and are more positive about their readiness than they really should be you have a problem. We see that gap each day. True, GDPR is not easy, there are still many myths (for, instance with regards to the need of a Data Protection Officer) and many people keep confusing between the GDPR and the ePrivacy Regulation.

The GDPR readiness gap is also shown by numerous surveys, whether they are from vendors of solutions or not (do note that one solution nor one area of solutions such as security is enough, GDPR is not just about technology).

December 2017 research from cybersecurity and compliance company Proofpoint, conducted among 1,500 IT decision makers in the UK, France and Germany, shows several key issues in the scope of that GDPR compliance readiness gap between perception and reality.

In the press release of the study , entitled ‘The great disconnect’, the company, for example, mentions that while 77 percent of UK businesses believe they will be fully compliant by May 2018 (which we can assure you is far from a reality and more a pipe dream), only 5 (five!) percent have all necessary data governance strategies in place to be compliant – or let’s say close to compliant. That is indeed a big GDPR compliance disconnect. It is especially important as, according to the statement, data breaches are significantly on the rise in the UK.

Data breach risk perceptions and poor GDPR preparation prioritizations

And it’s not just in the UK of course. Of all IT decision makers who think their company is likely to suffer a data breach the French are most wary of all: 78 percent of French IT decision makers state their business is likely to suffer a data breach, as compared with German respondents of whom only 46 percent thing this is likely.

Under the GDPR, responsibility lies with multiple internal and external stakeholders. Many organizations are unclear about where ownership should fall. That ambiguity is hindering the processes that need to be put in place to be compliant (Proofpoint, December 5, 2017)

Why does this matter? Well, because one can expect that IT decision makers who think chance is high that they might suffer data breaches also take more precautions, again with the reminder that data breaches, let alone, GDPR risks, aren’t just about cybersecurity.

It just takes an unaware employee who hasn’t been properly educated on how to deal with personal data of EU citizens and, for instance, has uploaded data on a private file sharing and storage app or loses a USB stick with data from the latest lead generation campaign or an export of whatever form of personal data in whatever scope.

Speaking about the latter, user or employee awareness, there is even worse news: according to the Proofpoint research only 56 percent of respondents have a user awareness program on data protection in place.

The great disconnect - perception and reality of GDPR readiness report by Proofpoint in PDF
The great disconnect – perception and reality of GDPR readiness report by Proofpoint in PDF

That is, to say the least, not the ideal way of preparing and prioritizing as, for now and despite increasing attacks, people are still the weakest link.

More information, data and links in the Proofpoint report (PDF opens) that also shows the naive optimism with regards to GDPR readiness and the saddening fact that GDPR compliance isn’t on the executive agenda with the obvious consequences you could see in the quote from the report.

If there is no executive buy-in with the necessary stakeholders involved in what is not an IT, information management or security challenge alone but a real strategic business challenge, then one can hardly expect that there are no gaps in perception versus reality, that there is no GDPR compliance disconnect and, worse, that the actual level of preparedness is far lower than imagined. 

What is the GDPR? GDPR overview

 

Top image: Shutterstock – Copyright: create jobs 51 – All other images are the property of their respective mentioned owners. Although the content of this article is thoroughly checked we are not liable for potential mistakes and advice you to seek assistance in preparing for GDPR.