TWO THIRDS OF BUSINESSES UNPREPARED FOR NEW EU DATA PROTECTION LAWS
More than two thirds of businesses are unprepared for new EU data protection laws, according to a new survey.
Research by Compuware found that 68 per cent of firms have no comprehensive plan for the introduction of the General Data Protection Regulation (GDPR).
And only 52 per cent of businesses surveyed say they could efficiently comply with the “right to be forgotten” aspect of the new legislation.
This area could prove difficult for firms when 68 per cent of respondents said the complexity of modern IT systems means they cannot always know where customer data is.
Only just over half of CIOs said they could locate all of a person’s data quickly, while 30 per cent admitted they could not guarantee they could do so at all.
45 per cent of the organisations questioned said it would take them a lot of time and resources to comply with a request to show an individual all of the data stored on them.
Non-compliance with the GDPR could land businesses with fines of up to €20 million (£17 million) or four per cent of their global turnover, whichever is greater.
“To comply with the GDPR, businesses need to keep stricter control of where customer data resides,” said Dr Elizabeth Maxwell, PC.dp and technical director, EMEA at Compuware.
“If they don’t have a firm handle on where every copy of customer data resides across all their systems, businesses could lose countless man hours conducting manual searches for the data of those exercising their ‘right to be forgotten’.
“Even then, they may not identify every copy, leaving them at risk of non-compliance.”
86 per cent of businesses use live data to test applications in software development, but just one in five ask customers for explicit consent to do this, leaving them at odds with the GDPR.
They could also be further putting customers’ data at risk, as 43 per cent of those that test applications with live data cannot guarantee it is depersonalised first.
“Using customer data to test applications is fairly standard practice, but there’s no need or excuse for not depersonalising it first,” Maxwell continued.
“Companies that fail to mask data before using it to test applications could soon find themselves slapped with an eye-watering fine from EU regulators.
“As well as being better for protecting customer privacy, anonymising test data eliminates the need to obtain customers’ explicit consent for it to be used in this way, which over half of CIOs identified as one of the biggest hurdles in GDPR compliance.”