Confusion remains around GDPR compliance, report says

14 Sep 2017

That GDPR to-do list is getting long for many companies. Image: Vladimir Gjorgiev/Shutterstock

With the May 2018 deadline looming, many companies are confused about GDPR compliance.

An independent global survey commissioned by WatchGuard Technologies has exposed just how many organisations are unprepared for the upcoming GDPR regulations.

The GDPR criteria lays out that any company that stores or processes personal information about EU citizens must demonstrate compliance.

However, the survey of more than 1,600 organisations showed that there is widespread confusion over which types of data constitute a mandate for compliance.

To comply or not comply?

37pc of respondents don’t know if their organisation is required to comply or not, while 28pc of organisations surveyed believe they have no requirements to comply at all. The survey found that one in seven of the respondents who don’t think the GDPR regulations apply to them do, in fact, collect personal data from EU citizens.

CTO of WatchGuard, Corey Nachreiner, said: “Once enforcement for this new legislation begins, companies all over the world will feel its impact. Unfortunately, the data shows that an alarming number of organisations are still unaware or mistaken about the need for GDPR compliance, leaving them three steps behind at this stage.”

He also noted that a mere 16pc of organisations in the Americas believe that they need to comply, leaving many at risk of non-compliance fines, with sensitive customer information at stake.

It appears that people are confused as to how exactly they need to bring their company up to standard, with 44pc not knowing how close their organisation is to compliance.

Of those who are aware of their need to comply (35pc of respondents), 85pc believe their compliance strategy is strong, but more than half think a dramatic overhaul of their IT infrastructure is required. Firewalls, VPN and encryption are the top strategies pegged by respondents, but sandboxes are only of interest to 18pc of total respondents.

As time is ticking, organisations are turning towards outside parties such as WatchGuard in order to achieve compliance as well as balancing all of their other business needs, with the entire process set to take an average of seven months.

Automating GDPR compliance

The Media Trust also recently announced the availability of its SaaS-based digital vendor risk-management service that automates web and mobile app compliance, forcing enterprises to manage the tracking activities executed in their companies’ digital environments.

CEO Chris Olson said: “Considering up to 75pc of code executing on websites is provided by third-party vendors, current solutions – tag managers, web application security, consent managers etc – provide insufficient insight into the actual code rendering on a consumer’s browser. How can you control what you don’t see?

“GDPR’s impending arrival means it’s no longer feasible for IT, risk, security and ad or website operations teams to have an incomplete picture of their digital ecosystem.”

As data controllers, enterprises must detect and justify the presence of all third-party data tracking elements – including cookies, pixels and other data-capturing code that identifies consumers and/or their devices – to ensure the data collected is permitted according to GDPR’s mandate.

Inability to detect and block non-compliant data trackers operating on digital assets will expose enterprises to substantial fines and reputational damage.

As the deadline for GDPR moves ever closer, the scale of the job at hand is now becoming apparent to an increasing number of organisations.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects