A survey of 1,263 IT professionals conducted by the Ponemon Institute, on behalf of the law firm McDermott Will & Emery LLP, suggests that even some of the best laid plans to comply with the General Data Protection Rule (GDPR) have gone awry. More importantly from the perspective of managed service providers (MSPs), failures to achieve GDPR compliance are resulting in additional dollars being set aside to address compliance issues in the next annual budget cycle.
The survey finds only half the survey respondents say they are GDPR compliant, with 61 percent having budgets set aside specifically for GDPR activities. The average budget is $13.6 million, a slight increase from $13.2 million allocated last year. Well over half of those respondents believe those allocations will be renewed annually (35 percent) or continued indefinitely (24 percent).
GDPR compliance remains an ongoing challenge
Many organizations once viewed as a one-time event tied to achieving GDPR compliance by May 25th of last year, but it is now starting to be recognized at the ongoing process that it really is.
More than half the respondents (54 percent) said achieving GDPR compliance took longer than anticipated. A full 80 percent said achieving GDPR compliance was equally or more difficult to implement than other data privacy and security requirements.
The survey also notes that respondents were involved on an average of two reportable data breaches since GDPR came into effect, with about one in six leading to either a follow-up inquiry or inspection from the regulator. Only 10 percent of respondents received a fine because of the data breach, but many still noted that the financial costs were significant.
Just over two-fifths of the respondents in the U.S. (44 percent) relied on external service providers to investigate those GDPR-related cyberattacks attacks compared to 40 percent in Europe.
Opportunity for MSPs materializes
Rather than simply relying on external service providers to investigate breaches, the conversation will increasingly shift toward finding a way to optimally manage sensitive data on an end-to-end basis as fines increase. Only 18 percent of the survey respondents are highly confident in their organizations’ ability to communicate a reportable data breach to the relevant regulators within 72 hours of becoming aware of the event.
Despite that lack of confidence, more than half of the US respondents (57 percent) plan to apply what they accomplished in terms of meeting GDPR compliance to other regulations. Nearly half (46 percent) of U.S. respondents specifically cited the California Consumer Privacy Act (CCPA).
The survey also suggests MSPs with expertise in managing data should expand the scope of their services. A full 68 percent of respondents already addressed their needs to restore availability and access to personal data in a timely manner in the event of a physical or technical incident. Another 62 percent provide pseudonymization and encryption of personal data.
Where capabilities start to fall off is when it comes to the number of organizations confident in their ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services (50 percent). As well as audit and review of third-party contracts (49 percent), and regularly test, assess and evaluate the effectiveness of technical and organizational measures for ensuring the security of the processing (48 percent).
Of course, most MSPs know that internal IT teams are usually overly optimistic when it comes to assessing capabilities that have never been put to the test. IT organizations often discover that their data is not quite as protected as they first assumed once there is an actual incident. The challenge and opportunity for MSPs now is to help customers identify those issues, before it’s too late.
Photo: Keith Homan / Shutterstock