We follow on from our Cyber Security Force’s post yesterday about 96% of firms being unprepared for tougher data protection laws.
Nearly three quarters of businesses do not think an organisation’s privacy track record is a top three consideration for customers when choosing who to do business with, despite customers asking about data security in more than a third of transactions.
Equally concerning, the report said, is the finding that 35% of respondents do not believe their organisation takes an ethical approach to securing and protecting data.
These results show there is a significant disconnect with consumer priorities, the report said, with 88% of European consumers regarding data security as the most important factor when choosing a company with which to do business. In fact, 86% consider it more important than product quality.
Unsurprisingly, the study found that 55% of businesses are not confident they completely meet customers’ data security expectations.
The study also found many businesses have not started working out the necessary organisational and cultural changes they need to make ahead of May 2018.
Some 9% of businesses admitted that all employees are able to access customers’ personal information, while 6% admitted that all staff can access customers’ payment details. Only 14% believe everyone in the organisation has a responsibility to ensure data is protected.
With such wide reaching access to people’s personal information, businesses are underestimating the challenges they will face in managing this in line with the GDPR, the report said.
Under half of those surveyed said managing data ethically is a top priority for their organisation, and less than half again said they would be increasing security training. Only 27% of businesses polled said they are planning to overhaul their approach to security in response to the GDPR.
The majority of respondents (91%) have concerns about the ability of their organisation to comply with the GDPR, due to factors such as the complexity of processing data correctly in time and costs involved.
Only 28% of IT and business decision makers realise the right to be forgotten is part of GDPR, while 90% of businesses say customers requesting their data be deleted will be a challenge for their organisation.
Only 9% of respondents have already received requests to be forgotten, but 81% believe their customers would exercise their right for data to be deleted, and 60% of businesses do not currently have a system in place that enables them to respond to these requests.
With less than two years before the EU data protection rules come into force, there are 10 key areas businesses need to focus on to ensure they will be compliant.
The European Parliament’s official publication of the General Data Protection Regulation means it will become enforceable on 25 May 2018.
Companies that fail to start planning to deal with the EU’s data protection requirements are in for a real shock, warns the International Association of Information Technology Asset Managers.
The GDPR is about enabling organisations to realise the benefits of the digital era, but it is serious about enforcement for those that do not play in the rules, says UK information commissioner.