Font Size: A A A

Home > Security Products > Cyber > Data protection study


Data protection study

Delayed threat detection and breach notifications could intensify the regulatory challenges of data protection, according to Data Protection: Prioritizing Regulations and Guidelines research study released by Blancco Technology Group.

In particular, 16 percent of businesses take between one and six months to detect a security threat and 5 percent only detect a threat when notified by external parties, according to the study.

While threat detection plays a vital role in helping organizations prevent data loss/theft, it’s equally important to notify regulatory authorities and customers of a data breach in a timely and efficient manner. Despite the EU GDPR’s requirement to notify regulatory authorities of a data breach within 72 hours, 13 percent of the surveyed IT professionals admitted it takes between one month and one year to do so. In such instances, these organizations would be in violation of the EU GDPR’s breach notification requirement and could face regulatory fines of up to 20 million euros, or 4 percent of their global turnover, whichever is greater.

Findings from the study include:

· Information is beautiful, but data breaches are not. 28 percent of organizations have been hit by a data breach in the last 12 months.

· Although C-suite interest in data governance is increasing, visibility proves challenging. While it’s good news that 76 percent of C-suite and board-level executives review and assess regulatory compliance with state, federal and international data protection laws, 12 percent do so infrequently (between one and three years).

· ISO and NIST data protection guidelines are rising in importance. 88 percent of the surveyed IT professionals consider ISO and NIST guidelines to be either ‘very important’ or ‘important.’

· Regulatory fines have become too normalised. 29 percent of businesses have been cited by a regulatory/governing body for failure to comply with security regulations in the last 24 months.

· Regulatory fines are considered more damaging than customer lawsuits, negative publicity and reduced sales. 28 percent of organizations said regulatory fines are the most damaging consequence of being cited for a regulatory violation, followed by customer lawsuits (22 percent), negative publicity (20 percent) and reduced sales (8 percent).

Richard Stiennon, Chief Strategy Officer of Blancco Technology Group, said: “The findings of our study reiterate just how important it is for organizations to manage data properly and have a sound data governance programme in place. This will require organizations to be fully aware of and regularly assess every type of user data that is stored, how long that data is kept, as well as when and where data needs to be removed when users end their service or when legal requirements demand it. As so many data breaches have shown, taking too long to detect a security threat and notify both regulatory authorities and customers could not only lead to regulatory fines, but could also put organizations at the center of customer lawsuits, diminished sales and negative publicity.”


The purpose of the study was to understand the importance organizations place on data protection regulations and industry guidelines. The survey was fielded in October 2016 to 460 IT professionals in the United States, Canada, Mexico, United Kingdom, France, Germany, India, Japan and China.


Related News