Many Not Ready for GDPR Requirements Including 72 Hour Breach Notification
The European Union’s General Data Protection Regulation (GDPR) goes into effect May 25th and will apply to any collecting and storing information on EU consumers, with fines for non-compliance as high as €20 million or 4 percent of annual revenue. Despite the hefty potential penalties, just 52 percent of organizations said they will be GDPR compliant by the May deadline in a recent survey.
Replacing the EU Data Protection Directive, GDPR brings several new requirements and challenges for organizations that use data to track online behavior or market goods or services to consumers in the EU, regardless of where the organization is based. Comprised of 91 articles, GDPR has been a challenge for many organizations who must adjust their data collection policies and disclosures.
Requirements of GDPR include the right for EU citizens to control data about them, including the “right to portability” for transferring data between service providers and the “right to erasure” when they want wall data removed. GDPR requires organizations to obtain an EU user’s consent before storing or processing data about them, to anonymize certain data that is collected and notify victims of a data breach within 72 hours. According to a recent Ponemon Institute survey, 83 percent of organizations said this will be the most difficult challenge to address related to GDPR.
This same study found that companies are budgeting $13 million per year, on average, to account for GDPR compliance efforts. Despite this, just over half expect to be compliant by the May 25th deadline.
According to another survey by EY, the right to erasure is the aspect of GDPR organizations find most challenging. None of the organizations surveyed had capabilities to support this in place at the time of the survey.
For more information: