Survey Says? Not Ready for GDPR
The European Union’s General Data Protection Regulation (“GDPR”) has garnered lots of attention. It’s been written about extensively, both in the relevant professional circles such as information governance, legal, and compliance, as well as in the mainstream press. We’ve covered the topic in our blog, most recently offering some helpful resources for understanding the GDPR’s requirements and preparing compliance plans. And we’ve been having extensive conversations with our clients as they work on compliance with the regulations.
With all this attention, shouldn’t we assume that every organization subject to the GDPR—which is quite a broad group—is diligently preparing? After all, the GDPR goes into effect in May 2018, less than a year from now. . . But a new report from Gemalto shows that many companies are behind in their preparations. Gemalto surveyed 1,050 information technology professionals around the globe, and found that a staggering 54% did not think they would be fully compliant before the regulations go into effect.
So what’s the problem? Why aren’t more companies confident in their ability to comply with the GDPR? Some of this uncertainty is due to not knowing where all the customer, supplier, and employee data are stored. Gemalto reports that 55% of companies don’t know where personal data might be located. As we’ve discussed in the past, we have found personal data in almost every location imaginable on the corporate network, including in stores of unstructured data.
The Gemalto statistics rely on survey data, which is an extremely useful data point. At DiscoverReady, we can add unstructured data analytics experience as another data point. As we work with clients on their data, we have found that nearly EVERY COMPANY has personal data in emails, file systems, SharePoint sites, virtual data rooms, personal computing devices and almost every storage location imaginable. Even among the 45% of Gemalto’s survey respondents who think they know where they store personal data, our experience shows that almost all of those organizations simply haven’t realized yet that personal data exhaust has diffused throughout their systems. Or perhaps those 45% have realized the extent of their personal data exhaust, and would simply state, “Yeah, I know where our personal data resides. It is everywhere.”
We understand how daunting it can be to become GDPR compliant. In addition to the policies, procedures and capabilities, companies also have to find and catalog all the personal information in their systems. And, at this point, it all needs to be done quickly. As a colleague of mine once said, “it is time for us to stop admiring the problem and start working on it.” I think many of the IT professionals in the Gemalto survey would agree.