According to the EU GDPR (General Data Protection Regulation) Implementation Review Survey conducted by IT Governance, six months after the GDPR went into effect, the majority of organizations are failing to implement the mandatory regulations.
The study included 210 responses from participating organizations ranging in size from fewer than 10 to more than 1,001 employees from across industries. Participants were asked how far along they were in achieving GDPR compliance, and only 29% said they had implemented all of the necessary change.
Despite 59% of respondents stating that they are aware of the changes to data subject access requests (DSAR), only 29% actually have an adoption plan in place to address these changes, even though data subjects are able to file complaints that could result in fines if their DSAR is incorrectly managed.
Although respondents said they understood the ways in which the GDPR applies to their organizations, many expressed a lack of confidence in fully understanding how to implement changes. When asked whether they had completed implementation of the changes, 46.9% said yes while 45% had only partially implemented any changes. In addition, 5% responded no.
One area in which organizations have focused attention is with data flow audits, with 75% of respondents reporting that they have conducted these audits in some capacity. As part of a GDPR compliance project, organizations need to map their data and information flows in order to assess their privacy risks, according to an IT Governance press release.
“It is discouraging to see so many organizations understanding the GDPR and its applicability to their businesses but failing to comply. May 25 should have been the wakeup call, but it’s not too late to begin your compliance journey. The time is now,” commented Alan Calder, founder and executive chairman of IT Governance.
The GDPR has been in effect since May 25, 2018, and the regulations apply to all organizations that monitor the behavior of or offer goods and services to EU residents, regardless of the organization’s geographical location or where it processes data.
While there is room for improvement when it comes to implementing changes, research published by BitSight found that “a steady decrease in security performance across all regions of the globe, organizations within continental Europe actually improved their security performance over the last year.
“Some of the areas that organizations have improved on include the implementation of stronger controls to reduce Internet exposed services (open ports). These improvements align well with the lead-up to the implementation of GDPR, and continue after the effective date.”