GDPR is coming, and many organizations aren’t ready

Each year, ESG surveys around 700 cybersecurity and IT professionals as part of its annual IT spending intentions research (note: I am an ESG employee). In this year’s survey, ESG asked respondents several questions about General Data Protection Regulation (GDPR) readiness.

What we found is alarming. With only a few months until the regulation goes into effect, only 11 percent of those surveyed say they are completely prepared and only 33 percent say their incident response plan meets the GDPR requirement for breach disclosure in 72 hours.

Specifically, this is what they said about their GDPR preparedness:

1. While 11 percent of organizations are completely prepared for GDPR (i.e. would be ready if it went into effect tomorrow), 33 percent say they are mostly prepared (i.e. most work done but some tasks left to accomplish), and 44 percent claim they are somewhat prepared (i.e. organization has identified all the steps to meet the GDPR deadline but are early in the process of completing all tasks).
2. Nearly one quarter (22 percent) of organizations say they don’t need to make further technology purchases to address GDPR. Alternatively, 63 percent have made or will make some incremental technology investments, while 10 percent have made or will make substantial technology investments for GDPR.
3. One-third of organizations say their incident response (IR) plan can meet the GDPR requirement for breach disclosure in 72 hours. The remaining organizations admit that their IR plans need work, however. Thirty-five percent say their IR plan needs some updates to meet GDPR, 8 percent claim that their IR plans need major revisions to meet GDPR, 7 percent will need to establish a new IR plan to meet GDPR, and 8 percent admit that they don’t have an IR plan and will have to create one from scratch to meet GDPR.

Companies have a lot of work to do to meet the May GDPR deadline

My take-away from this data is that most organizations still have plenty to do with just over three months to go. Furthermore, I am alarmed by the lingering uncertainty around GDPR. For example, when survey respondents were asked to identify their organization’s biggest GDPR challenges, just under one-third (32 percent) said “understanding all the requirements associated with GDPR,” while 31 percent said “establishing the ability to audit GDPR controls for regulators.”

Given that we are just about through with February, you would think that firms would have these issues under control by now. I’ve encountered this uncertainty in conversations with CISOs, as well. When I ask them if they are ready for GDPR, many respond, “I don’t really know.” 

Judging by the data, I’d say the handoff from legal and privacy teams to security and operations teams is a work in progress. In other words, corporate lawyers are still figuring out what their organizations need to do. As a result, they haven’t fully operationalized a GDPR plan — and the clock is ticking.

One of my cybersecurity predictions at the start of 2018 was that we would see a massive data breach and subsequent GDPR fine by the end of this summer. This data only reinforces my belief that this will happen.