An Experian Data Breach Resolution and Ponemon Institute industry study says that while companies generally are aware of and intimidated by global privacy and data security regulations, they fail to properly understand and address necessary organizational changes to comply.
The study, Data Protection Risks & Regulations in the Global Economy, asked more than 550 IT security and compliance professionals, involved with their companies' global privacy and data security regulations, to weigh in on the top global security risks, as well as how prepared they feel their companies are to respond to a global data breach.
The study found that more than half (51 percent) of companies surveyed had experienced a global data breach, with nearly 56 percent experiencing more than one breach in the past five years. Yet, despite these major security intrusions, 32 percent of respondents noted that their respective companies still don't have a response plan in place.
Unfortunately, only 30 percent of respondents said their respective C-suite executives are fully aware of the state of their companies' compliance with global regulations. Moreover, only 38 percent of respondents agreed senior leadership views compliance with global privacy and data protection regulations as a top priority.
"Despite increasing reports of the damage caused by global data breaches, the study emphasizes that the increasing risk of, as well as the experience of going through, a global data breach isn't enough to lead CIOs and CSOs to prioritize compliance measures in line with what is expected in the GDPR," said Michael Bruemmer, vice president, Experian Data Breach Resolution. "More emphasis is required from companies, especially those with a multinational footprint, to get ahead of impending global regulations and risks. They can start by conducting risk assessments and investing in new technologies, such as encryption, as well as considering appointing a data protection officer to oversee compliance."
Additional findings from the study:
The GDPR notification requirements will be difficult to implement
- Only 9 percent of respondents reported their organization is ready to comply with the European Union's GDPR.
- Despite acknowledging the challenges and negative effects of noncompliance with the GDPR, many respondents (59 percent) said their companies don't understand how to comply.
- Surprisingly, 34 percent said they're preparing for compliance by closing overseas operations in countries with a high noncompliance rate. This indicates they may not fully understand the GDPR, as it doesn't require companies to have physical operations in the European Union to be impacted.
Companies aren't adequately prepared to respond to a global data breach
- Almost half (49 percent) of respondents stated their existing security solutions are outdated and inadequate to comply with global regulations. In addition, only 40 percent of respondents said their organization has the right security technologies to adequately protect information assets and IT infrastructure in all overseas locations.
- Only 35 percent said their organizations could manage cultural differences or expectations around privacy and data security across all regions of the world.
- Thirty-nine percent believe their organization has the right policies and procedures in place to protect information assets and critical infrastructure in all overseas locations.
Companies fail to prioritize global regulations and remain skeptical about benefits
- Only 38 percent of respondents agreed that senior leadership views compliance with global privacy and data protection regulations as a top priority.
- Eighty-nine percent of respondents believe the GDPR will have a significant impact on their data protection practices, yet only 41 percent believe global regulations will strengthen their organization's privacy and data protection practices.
- Seventy percent don't believe or are unsure the more stringent notification requirements in the GDPR will benefit the victims of a data breach.