Enterprises across the world are still struggling to comply with the new rules enshrined in the GDPR that came into effect more than a year ago. The regulation had global implications, forcing companies in the US, China and Japan to comply with new, sometimes arcane, rules previously unseen on this scale.
A new study commissioned by international law firm McDermott Will & Emery and conducted by the Ponemon Institute found that almost 50% of respondents experienced at least one personal data breach that was required to be reported under GDPR in the last year.
Companies in both China and Japan had a very high number of respondents who said they were still “not familiar” with large parts of the regulation.
“As revealed in our first study one year ago, the race to GDPR, GDPR compliance is a challenge, particularly with information and the companies that possess it so frequently crisscrossing national borders and an uptick in varying local regulations–whether that’s China’s Cybersecurity Law or the new California Privacy Act,” said Larry Ponemon Ph.D., chairman and founder of the Ponemon Institute.
SEE: IT pro’s guide to GDPR compliance (free PDF) (TechRepublic Premium)
These corresponding, and often competing, laws across the world were making it difficult for companies to manage, forcing them to hire people specifically to handle compliance.
The study said Japanese respondents were increasingly using external cybersecurity companies to deal with any data breaches. Just 29% of Chinese respondents and 32% of Japanese ones reported being fully compliant with the GDPR, according to the survey.
“What we learned this year is that countries and regions are now very much at different points in their compliance awareness and execution journeys,” Ponemon said.
“With enforcement activity just beginning, it is more important than ever for companies to work hand in glove with external cybersecurity services and legal counsel and understand that these issues will continue well into the foreseeable future,” he said.
For many organizations, the biggest issue was the process around reporting data breaches. In every country surveyed, an average of 25% respondents said they had a very low level of preparedness and confidence to deal with GDPR rules about data breaches.
Fewer than 20% of enterprises were “confident” in their ability to handle the task of reporting a breach to regulators within 72 hours. Companies are now investing heavily in compliance measures to catch up, but many still struggle to deal with the new realities of data management.
EU regulators may cringe when they see that most companies are not reporting their breaches at all. Half of those surveyed had experienced a data breach that legally needed to be reported under the new rules yet far less than that actually did end up reporting it.
Just 39% of companies in the U.S. and 45% of EU companies actually made the effort to report a discovered breach to a GDPR regulator.
“The number of data breaches occurring under GDPR should give pause,” said Mark Schreiber, partner and co-leader of McDermott’s global privacy and cybersecurity practice.
“Companies would benefit from conducting risk assessments and engaging forensic professionals who can identify vulnerabilities and recommend improved processes and remediation. If done under litigation or attorney privilege, organizations can further safeguard themselves,” Schreiber said.
Companies were increasingly turning to cyber risk insurance to make up for their lack of compliance. But even with insurance, many companies who spoke to Poneman said they didn’t know if their policies covered GDPR fines and penalties. Less than half of respondents said their insurance policies did cover GDPR-related costs.
“The reporting requirement is one of the most difficult aspects for companies to get right,” said Chairman of the UK Data Protection Forum Ashley Winton.
“Over-reporting and under-reporting to regulators are both disadvantageous, and mandatory reporting to data subjects can increase the likelihood of class action litigation,” Winton said.
In addition to insurance, 86% of companies in the survey said they appointed a GDPR data protection officer while more than half of the enterprises in non-EU countries hired an EU representative or a data protection officer.
In a bit of good news for Americans, the survey found that GDPR rules were increasingly making their way across the pond. More than 50% of US companies said they have applied GDPR rules to both US and EU employees while just 43% of EU companies are doing the same.