C-Level Executives Not Prepared for General Data Protection Regulation Implementation

Research by Trend Micro
This is a Press Release edited by on 2017.09.13

AddThis Social Bookmark Button

With the General Data Protection Regulation (GDPR) taking effect May 25, 2018, businesses around the globe should be preparing accordingly.

However, through a recent survey, Trend Micro Incorporated, in cybersecurity solutions, found that C-suite executives are not approaching the regulation with the seriousness required, resulting in overconfidence when it comes to compliance.

GDPR Awareness
The company's research reveals a robust awareness of the principles behind GDPR, with a strong 95% of business leaders knowing they need to comply with the regulation, and 85% having reviewed its requirements. In addition, 79% of businesses are confident that their data is as secure as it can possibly be.

Despite this perceived awareness, there is some confusion as to exactly what Personally Identifiable Information (PII) needs to be protected. Of those surveyed, 64% were unaware that a customer's date of birth constitutes as PII. Additionally, 42% wouldn't classify email marketing databases as PII, 32% don't consider physical addresses and 21% don't see a customer's email address as PII, either. These results indicate that businesses are not as prepared or secure as they believe themselves to be. Regardless, this data provides hackers with all they need to commit identity theft, and any business not properly protecting this information is at risk of a penalty fine.

The Cost of Not Being Compliant
According to the survey, a staggering 66% of respondents appear to be dismissive of the amount they could be fined without the required security protections in place. Only 33% recognize that up to 4% of their annual turnover could be sacrificed. Additionally, 66% of businesses believe reputation and brand equity damage is the biggest pitfall in the event of a breach, with 46% of respondents claiming this would have the largest affect amongst existing customers. These attitudes are especially alarming considering businesses could be shut down in the event of a breach.

"Investing in state of the art equipment and employing data protection policies should be seen as a wise business practice, not an operational burden," said Rik Ferguson, VP of security research, Trend Micro. "As a strategic security partner, we see it as our shared responsibility to help customers meet GDPR data security compliance."

Responsible Parties
Trend Micro also learned that businesses are uncertain as to who is held accountable for the loss of EU data by a U.S. service provider. Only 14% could correctly identify that the loss of data is the responsibility of both parties - 51% believing the fine goes to the EU data owner, while 24% think the US service provider is at fault.

In addition, it turns out businesses aren't sure who should take ownership of ensuring compliance with the regulation, either. Of those surveyed, 31% believe the CEO is responsible for leading GDPR compliance, whereas 27% think the CISO and their security team should take the lead. However, only 21% of those businesses actually have a senior executive involved in the GDPR process. Meanwhile, 65% have the IT department taking the lead, while only 22% have a board level or management member involved.

The Technology Required
With threats growing in sophistication, businesses often lack the expertise to combat them, and layered data protection technology is required. GDPR mandates that businesses must implement technologies relative to the risks faced. Despite this, only 34% of businesses have implemented advanced capabilities to identify intruders, 33% have invested in data leak prevention technology and 31% have employed encryption technologies.

Trend Micro's commitment to GDPR compliance begins with its cross-generational XGen security, which protects personal data throughout enterprises. Its solution is optimized for environments where data may be stored, whether that's physically, virtually, on the cloud, or in containers. It is a strategy and platform spanning across all Trend Micro solutions, connected to alert and reporting data breaches as they happen. This approach provides businesses with the tools mandated by GDPR.

The Research
In partnership with Opinium Research LLP, Trend Micro conducted its survey between May 22 and June 28, 2017. The preceding results are gleaned from 1,132 online interviews with IT decision makers from businesses with 500+ employees in 11 countries, including USA, UK, France, Italy, Spain, Netherlands, Germany, Poland, Sweden, Austria and Switzerland. Respondents of the survey hold either senior executive, senior management or middle management positions in multiple industries including retail, financial services, public sector, media and construction.