There is an increasing number of surveys about the General Data Protection Regulation (GDPR). Please do not let yourself be confused. Instead, use the studies as a basis for your own internal research.
GDPR: Surveys show significant deficits
The General Data Protection Regulation (GDPR) is a key topic for the coming months, and not just for data protection officers.
This is evident from the numerous studies and surveys published recently by associations, consulting firms, and IT security providers. Nearly all the studies agree that there is a lot of work to do, both before 25 May 2018 and after.
Naturally, surveys regarding the GDPR implementation status in German companies have a specific focus. This is especially true for studies performed or commissioned by solution providers.
While this is understandable, it may also result in confusion at the companies. Gaining an overview of the various studies is therefore useful before deciding on a plan for determining the implementation status at your own company.
Overview of current results
Because the surveys use different sample sizes and company sizes, and because they target different industries, companies should not focus on percentages too much.
The focus should rather be to identify general weaknesses in the implementation for internal review.
Reviewing general weaknesses
The following results exemplify these facts:
- Veritas study (PDF): Companies have the greatest difficulties with retaining an overview in the event of data loss:
- Almost half (48 percent) of the respondents who indicated being prepared for the regulation do not have information on all events involving loss of personal data.
- 60 percent even report being unable to detect and report a data leak within 72 hours.
- 18 percent admit to being unable to search, find, and delete personal data on short notice.
- Another 13 percent are unable to inspect their data for whether they contain references to individuals and to visualize the storage location of data.
- 13 percent also admit that data sources and their intended use are not clearly defined.
- Commvault study: 52 percent of companies do not know how long it takes them to find personal data and respond to a request. Or it takes them several days. This may result in fines and damage to their reputation.
- Trend Micro study: Despite a stated awareness of the GDPR, there is a degree of uncertainty about which data are personal and require protection:
- Only 35 percent of respondents in Germany were aware that a customer’s date of birth should be regarded as personal data.
- In addition, only 64 percent would classify their marketing databases as personal data.
- Customer addresses are erroneously not considered personal data by 34 percent, e-mail addresses by 23 percent.
- WatchGuard study: At the time the survey was conducted (May to August 2017), almost half (47 percent) of the surveyed companies in Germany were uncertain whether the GDPR even applies to them.
- Bitkom study: Companies often lack the basic organizational requirements to ensure data protection. 42 percent of the responding companies stated that they do not have a register of procedures that documents internal processes for handling personal data. A year before, this percentage was at a similar level (46 percent).
Important: Find your own priorities
Do not use these percentages as the sole basis for prioritising your own list of weaknesses.
The differences between companies are too specific for deriving your own priorities from these statistics.
Summary: Determine the implementation status yourself, and act accordingly
The following checklist indicates typical weaknesses in the implementation of the GDPR that should be reviewed internally. Use the results to make recommendations for internal project planning to remedy deficiencies in the implementation.
Download: GDPR implementation checklist
Time is tight – not just because the media will soon publish the next set of survey results, but because an actual deadline is approaching.
Oliver Schonschek is a physicist, analyst, and technical IT journalist for IT security and data protection.