Technology has transformed the fabric of society in ways no one could have imagined, and it has sparked a need for a review of the rules that govern the world’s data protection laws. On May 25, 2018, the General Data Protection Regulation (GDPR) came into effect in the European Union (EU) to bring stricter rules around how organizations handle data privacy. The new laws will grant EU citizens more control over their data and force companies to more carefully examine how they collect, process and store data. However, even with years to prepare, are IT and cybersecurity professionals ready for the impact this will have on their organizations?
Avecto was curious about the level of awareness of IT and cybersecurity professionals have into preparations organizations have taken to meet these new regulations. In May 2018, Avecto surveyed 500 IT and cybersecurity professionals to see how familiar they were with the upcoming GDPR regulations. The survey explored IT and Security’s role in helping companies achieve compliance with the new guidelines for the collection and processing of personal information of individuals within the European Union. 500 IT and cybersecurity professionals in the UK, North America, and Germany were included in the study to understand familiarity with the regulation, the data protection measures in place, and the protections they added to secure personal data.
How Familiar were IT and Cybersecurity Professionals with GDPR?
In April 2016, the European Parliament announced that they would be implementing GDPR to help add extra security to protect customer and employee data. Over the past two years, the headlines have been full of stories of how this will impact companies globally. But even with the media attention to this important topic, do IT, and cybersecurity professionals truly know what this regulation is?
From our survey, we found that while approximately 70 percent of professionals in the UK and Germany have heard of and understand the new regulations, North America is unprepared for these new laws with only 37 percent of survey participants indicating they understand these new laws.
Who Does GDPR Impact?
The GDPR regulations will have a far-reaching impact across Europe. However, do IT and cybersecurity professionals understand the global reach and that the law will impact businesses and customers far beyond the European borders?
Every company that operates in Europe or retains data about any EU citizen for any reason, will be required to observe the GDPR's tighter data security standards and will need to provide users access and control over their data. From our survey, we found that only 60 percent of global IT and cybersecurity professionals knew that the new laws would only apply to any company with European customers.
Are Companies Preparing for GDPR?
Even though companies have had two years to become ready for GDPR, are they equipped for the May 2018 deadline? We found that only 59 percent of global IT and cybersecurity professionals believe their companies are preparing for the new laws. Not being ready and following the new legislation could be a significant risk because companies will be facing steep fines if they are breaking the new law.
The Fines Associated with GDPR
The fines associated with not being compliant with GDPR are steep and can cost companies deeply. From the survey, we found that over 70 percent of UK and German IT and cybersecurity professionals are aware of the costs that could be implemented if they fail to comply with the new regulations. In contrast, only 38 percent of North American IT and cybersecurity professionals understand the penalties their organizations could face.
What are the fines?
There are two levels. The first is up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher. The second is up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher. With potential fines being this steep, there is a high level of incentive for companies to ensure they are compliant with GDPR.
Removing Administrator Rights Can Help Your Company be GDPR Compliant
As GDPR is in place, companies should be evaluating what their most significant pain points and regular sources of worry should be immediately following the law, over the next year, and the long-term impacts. IT and cybersecurity leaders should be examining what procedures and best practices they have in place to strengthen the protections around the data that is held in their company.
A foundational principle of GDPR is an appropriate set of organizational security controls and controlling the use of privileges is fundamental to doing so. Yet only 36 percent of organizations have removed administrator rights at various levels to improve their data protection initiatives and comply with regulations. Looking more closely at this regulation, only 13 percent of North American respondents, 9 percent of UK respondents and 12 percent of German respondents said they removed local administrator rights in preparation for the GDPR. Many organizations feel privilege management and application control are each a massive undertaking, but endpoint privilege management secures desktop and laptops while enabling workers to work with minimal interruption.
The results of the survey indicate that organizations within the UK and Germany are taking necessary steps to prepare for GDPR. However, organizations in North America are lagging and opening themselves up for potentially significant fines. The GDPR regulation requires companies to make fundamental changes to how they handle personal identifiable information. Key actions that companies can take to be GDPR compliant begin with the security fundamentals: deploy endpoint privilege management inclusive of application control to achieve a least privilege environment.