The IBM study, titled “The end of the beginning: Unleashing the transformational power of GDPR”, reveals that nearly 60% of respondents see the General Data Protection Regulation (GDPR) as an opportunity to improve privacy, security, data management, and catalyst for new business models, rather than a compliance issue or hurdle.
To reduce risks, the study showed that most of surveyed companies want to be more selective in the data they collect and manage, Seventy percent of the respondents said they wanted to dispose of data before the compliance deadline.
Companies’ preparation for the GDPR is based on an increased scrutiny from consumers on businesses' management of personal data. For instance, only 20% of consumers in the US trust the organizations they interact with completely regarding the confidentiality of their data.
In the weeks leading up to the appointed date (May 25, 2018), the IBM Institute for Business Value (IBV) surveyed more than 1,500 executives responsible for complying with the GDPR at organizations around the world. The results reveal how companies are approaching the GDPR as an opportunity to boost customer confidence and drive innovation:
- 84% believe that proof of compliance with the GDPR is seen as a positive distinguishing feature in the public eye
- 76% said the GDPR will provide more trusted relationships with affected individuals which could open new business opportunities
- Despite this opportunity, only 36% believe that they will be able to fully comply with the GDPR by 25 May
"GDPR will be one of the biggest disruptive forces impacting business models across industries – and its reach extends far beyond the EU borders," said Cindy Compert, CTO, Data Security & Privacy, IBM Security. "The onset of GDPR also comes during a time of huge distrust among consumers toward businesses ability to protect their personal data. These factors together have created a perfect storm for companies to rethink their approach to data responsibility and begin to restore the trust needed in today's data-driven economy."
GDPR leads to a reduction in data collection and storage
Another important finding of the study is that companies use the GDPR as an opportunity to streamline their approach to data and reduce the total amount of data they are managing. For many companies, this means vastly cutting down on the amount of data they collect, store and share.
According to the new study, organizations reported taking the following actions in response to the GDPR:
- 80% say they are cutting down on the amount of personal data they keep
- 78% reduce the number of people who have access to personal information
- 70 % are disposing of data that is no longer needed
The study found that the biggest challenges organizations face in complying with the GDPR are finding personal data within their organization (data gathering), ensuring the accuracy of the collected and stored data and adhering to rules how data is analyzed and shared (data processing principles). Other areas of concern include the handling of cross-border data transfers and obtaining the consent of the data subjects since less than half of respondents said they were sufficiently prepared for these aspects of the GDPR.
A key element of the GDPR is the requirement for companies to report data loss within 72 hours to the regulatory authorities. However, the study found that only 31% of companies reviewed or changed their incident response plans in preparation for this requirement, which is a blind spot in the overall approach to GDPR.
While challenges remain, a significant proportion of the surveyed companies (22%) use the GDPR as a fully transformative business opportunity for their data ownership and management approach:
- 93% have modified their incident response processes
- 79% said they were prepared for performing data discovery and ensuring data accuracy
- 74% said they would consider data security and privacy for new products and services "by design"
Why the human factor is pivotal
The sustainable implementation of the new GDPR is not purely an IT matter but must also involve employees and processes and IBM show us how this works, too.
According to IMB’s research, avoidable human errors are responsible for a large amount of data loss. In the annual IBM X-Force Threat Intelligence Index 2018, the company concluded that "inadvertent insiders" - employees who inadvertently cause security incidents through negligence - account for two-thirds of all compromised records in 2017. The errors include some elementary actions, such as clicking malicious links sent as part of a phishing attack, as well as misconfiguration of servers and network devices.
The latter are said to account for more than two-thirds (70%) of all data loss due to human error, the report said. First and foremost, the number of cases has increased dramatically due to poorly configured cloud servers: 424% more data sets than in the previous year were stolen by this security breach.
The remaining third is due to individuals. Phishing attacks induce employees to open malicious links or attachments, which in turn install malicious software on the system. Regarding the EU GDPR, such errors can not only damage the public image of the company but be quite costly. As announced, up to 4% of the total annual turnover achieved in the past financial year may be imposed as sanctions for the breach of the Regulation. Investing in the privacy of personal information can clearly minimize these risks.
What IBM points out is the fact that the introduction of new IT technologies alone cannot solve privacy issues, as trained employees are at least as important in the safe handling of data as the corresponding infrastructure.
Enterprise-wide, easy-to-implement policies that describe data processing and data access processes can make an impact.