Not Ready for GDPR? You Aren’t Alone . . .

The EU General Data Protection Regulation (GDPR) is the most sweeping data legislation many of us have seen. It aims to protect the privacy and security of all the data collected by all organizations across the European Union. Put simply, if you’re retaining any data on EU citizens, you’ll need to comply with GDPR. However, scanning this week’s news on GDPR one theme emerges above all others: organizations by and large are not even close to being prepared for it.

Most companies haven’t even started GDPR groundwork

Information Age, for instance, reported on a study from Spiceworks that found that, while UK IT organizations are in general more prepared for GDPR than U.S. or EU based organizations, the majority of organizations on all sides of the pond are unprepared. According to the study, only 40 percent of UK companies, 28 percent of EU companies, and five percent of U.S. companies have even started to prepare. Furthermore, only five percent of IT professionals in the UK think their company is fully prepared. It’s worse in the U.S. and EU, where only two percent of those surveyed believed they were fully prepared. These numbers may make some sense in the U.S., where 43 percent of those surveyed said they don’t think GDPR will impact their company (although we think they are sorely mistaken). However, the lack of preparedness in the EU and UK is puzzling, considering that only three and nine percent respectively are unconcerned about GDPR.

Budget, hiring a DPO, and not knowing where to start are roadblocks

So, if the vast majority of companies are indeed concerned about GDPR, why aren’t they doing more? A study by  CareersinCyberSecurity and Hamlins LLP found that 73 percent have failed to budget for the implementation of the changes they require to comply with GDPR. According to the study, 53 percent of UK businesses haven’t appointed a Data Protection Officer (DPO), as required by GDPR for organizations with more than 250 employees. Possibly even more disconcerting, more than a third said they’re either not planning to do anything about GDPR, or don’t know what they need to do.

Concern over this general lack of preparedness was echoed by Bill Coffin of ComplianceWeek, who indicated that part of this may be due to the fact that organizations don’t even know where to start:

“This is a very wide-reaching piece of legislation that touches on so many different pieces of data that an organization has gathered over many years. And let’s face it: Quite a lot of organizations don’t know where some of that information is. They don’t have control over it. Many users may have been storing information in the cloud that may not be readily known to the IT or security department. But that is all covered by GDPR, and the organization is responsible for it.”

GDPR is everyone’s concern – including your cloud services providers

We’ve written extensively on this subject, highlighting fines that can be very stiff–up to 2% of turnover, or €10 million for “less serious” infractions, with penalties doubled for more serious infractions. What is not as frequently discussed is that the same obligations apply to your services providers, namely, those that are considered “data processors” or “data controllers” that store and manage your data in a ‘cloud’ service. As data stored in a cloud environment may include EU citizen data that is considered personal, service providers must also have ability to identify where that information resides and respond to EU citizen inquiries (Article 15), and must be able to eliminate the data if an EU citizen successfully claims that the information is not being used by the data controller appropriately (Article 17). As importantly, the service provider must demonstrate to EU authorities that it has established data protection safeguards that satisfy the GDPR criteria for data privacy by “Design and Default” (Article 25). Services providers must do so for any EU citizen’s data that it possesses – regardless of whether it has operations or services that are located in the EU. Clearly, many cloud service providers are not yet ready to address these requirements, in fact, some are not equipped to tell you exactly where a specific individual’s data is located among cloud server environments.

So, what questions should you ask your cloud service providers to assess their readiness to meet requirements of the GDPR? Here’s an infographic that can help start the process: