New rules on consent to use of data, and European-wide privacy rights, fines that may run into the millions of pounds and euros, plus stricter procedures and public disclosure in cases of data breach – those are among changes that will come into force as part of the General data protection regulation (GDPR) in May 2018.
Yet a large number of companies have no idea what is coming their way with little more than a year till the deadline, an IDC Research survey on behalf of the internet security product company ESET suggests. A quarter (25 per cent) of the 700 surveyed European companies admitted they were not aware of GDPR and more than half (52 per cent) of them were unsure of the impact on their organisation. Even after shifting the focus to those, which were aware of the regulation, one in five (20 per cent) firms in the survey hadn’t begun preparing for GDPR yet, and another almost 60 per cent were still getting their systems in line with the new rules, leaving only 21 per cent ready for the changes.
ESET points out that about a third, 35 per cent of the organisations that suffered a data breach in the last two years, reported losses of between 25,000 and 250,000 euros, and most (32 per cent) put losses between 10,000 and 25,000 euros. However, fines and rules on public disclosure imposed by GDPR can potentially increase financial risks after May 2018 to millions.
The new regulation sets maximum fines to as high as 20 million euros; or 4 per cent of a company’s annual turnover if the company violates GDPR rules related to breaches of data protection principles, conditions for consent, customers’ or employees’ rights or international data transfers. As ESET says, this means an increase in risk, but the regulation itself also suggests “proper means” that can help businesses mitigate them. Encryption is named as one of the technologies that can help protect data and ease some of the obligations. Also, costs for implementing encryption at SMBs – starting around tens of euros per seat per year – are significantly lower than the potentially devastating fines companies face under GDPR.
In this regard, with only a year left until GDPR enters into force, IDC has also looked into the state of encryption and its use amongst the surveyed businesses. It found that file encryption has been implemented in 46 per cent of the firms and is desired by 36 per cent. Compared to that, full-disk encryption is reportedly in use in only 38 per cent of the companies, and desired by a third of them (34 per cent).
For more on the General Data Protection Regulation, ESET has a dedicated page.
About the survey
It was conducted in over 700 organisations across seven European countries: the Czech Republic, Germany, Italy, the Netherlands, Slovakia, Spain, and the United Kingdom. The survey focused on SMEs with 50 to 499 endpoints to protect across vertical sectors. Respondents in C-level, security, IT administrative or management positions were questioned about a range of security-related topics.
