More Than Two Thirds of Companies Not Confident of Being Fully Compliant with GDPR Requirements

New research highlights that companies are massively ill-prepared for the General Data Protection Regulation (GDPR), which entered into force on May 25, according to Apricorn, a manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives.

Less than a third (29%) of organizations surveyed ahead of the GDPR deadline felt confident they would comply, and when asked whether there were any areas they might be likely to fail, 81% could think of some area of the new requirements that might cause them to fail when it comes to GDPR compliance.

Half of organizations who know that GDPR will apply to them admit that a lack of understanding of the data they collect and process is their number one concern relating to non-compliance. On top of this, almost four in 10 (37%) believe they are most likely to fail because of gaps in employee training, and almost a quarter (23%) say their employees don’t understand the new responsibilities that come with the GDPR.

“Data or personally identifiable information (PII) is at the heart of GDPR and mapping and securing it should be every organization’s number one priority. By now, all employees, from the top down, should have an understanding of the importance of GDPR and the role they play in keeping this data safe”, said Jon Fielding, managing director, EMEA Apricorn. “While we know that many organizations have provided some form of employee training, clearly in some cases this hasn’t been effective and organizations should address these gaps urgently.”

While almost one in 10 still regard the GDPR as a mere tick box exercise, a substantial proportion do view it as being of some benefit to their organization – for example 44% agree that the new regulation is a welcome opportunity to overhaul their organization’s data handling and security processes. The most commonly taken step so far, for those who say they will be at least somewhat prepared for the GDPR, is to review and update their security policies for mobile working (67%). However, three in 10 (30%) still worry they could fail to comply due to mobile working, and almost a quarter (22%) of respondents are concerned they may fail due to a lack of encryption. “There is a lot more awareness amongst companies since our first survey last year, but we continue to see a huge amount of confusion amongst organizations as to what to priorities in order to tackle the regulation,” added Fielding.

In line with this, 98% of respondents recognize that they will need to continue investment in policy, people and technology even after the deadline has passed. Investing in the necessary tools to make security processes easier and more efficient is vital, particularly when taking into account that Article 32 of the GDPR requires the pseudonymisation and encryption of personal data. “The best form of defense is to make sure everything you have is as locked down as possible and all PII is encrypted in transit and at rest,” advised Fielding.