Right about now inquiries from customers concerned about their ability to comply with the General Data Protection Rule (GDPR) that is set to implemented by the European Union on May 25 should be skyrocketing. But as is often the case, most of the demand for expertise on how to comply with the one of the most stringent regulations ever devised may not manifest itself until after the GDPR deadline.
The reason can only be attributed to a certain amount of bravado among IT organizations. A survey of 1,129 IT professionals published today by the Cloud Security Alliance (CSA) in a collaboration with Netskope finds 83 percent of respondent do not feel very prepared for GDPR. Yet, 71 percent said they were confident their organizations will be able to achieve GDPR compliance by May 25.
Obviously, the rush is on. Well over half (59 percent) of respondents said their companies are making GDPR a high priority. But, just under a third (31 percent) said they have well-defined plans for meeting GDPR compliance. A full 85 percent said they have something in place, and 73 percent have begun executing that plan. Only 10 percent said they still have no defined plan to prepare for GDPR.
Underestimating GDPR challenges
Given the fact that EU fines could reach as high as 4 percent of total worldwide revenue, it’s no wonder many organizations are starting pull out all the stops. Yet, many of them still underrate what GDPR compliance entails. Respondents cited the biggest challenges they face in achieving compliance as the GDPR’s “right to erasure” (53 percent), “data protection by design and by default” (42 percent), and “records of processing activities” (39 percent).
New @CloudSA study: 83% of IT pros surveyed do not feel very prepared for #GDPR @smartermsp @mvizard
To achieve compliance, most of the focus seems to be on documentation of data-collection policies (68 percent), codes of conduct (56 percent), and third-party audits and assessments (55 percent). John Yeoh, director of Research for the Americas for CSA, says it appears many organizations expect to comply with GDPR on day one, but many of them are underestimating aspects such as Article 12, which requires organizations to delete data within 30 days of being asked. It’s also worth noting that anyone can comply with a regulation once. GDPR is different in that IT organizations are expected to be in a continuous state of compliance. To help solution providers and their customers to navigate that complexity, the CSA developed the GDPR Resource Center.
GDPR wake-up call
Many IT professionals are understandably proud of their skills. But as the saying goes, pride does go before the fall. IT service providers should plan for a raft of calls from customers looking for help with everything from deleting a file in archive that is a decade old to making sure no one is keeping a copy of data hidden away for whatever well-intentioned reason.
In general, IT service providers should expect GDPR compliance issues to generate revenue streams on an ongoing basis through most of this year and beyond. Reports of violations and subsequent stern enforcement by the EU to send a message are all but inevitable. Even when an organization thinks it has achieved compliance, all it will take is one or two high-profile cases before organizations start to conduct their own internal audits. The good news is that it’s an IT service provider that most likely will get asked to conduct that audit if for no other reason than adding a little third-party validation that should help everyone involved sleep just a little bit better at night.