Each year, ESG surveys around 700 cybersecurity and IT professionals as part of its annual IT spending intentions research. In this year’s survey, ESG asked respondents several questions about GDPR readiness. Here’s what we found out:
- While 11% of organizations are completely prepared for GDPR (i.e., would be ready if it went into effect tomorrow), 33% say they are mostly prepared (i.e., most work done but some tasks left to accomplish), and 44% claim they are somewhat prepared (i.e., organization has identified all the steps to meet the GDPR deadline but are early in the process of completing all tasks).
- Nearly one-quarter (22%) of organizations say they don’t need to make further technology purchases to address GDPR. Alternatively, 63% have made or will make some incremental technology investments while 10% have made or will make substantial technology investments for GDPR.
- One-third of organizations say that their incident response (IR) plan can meet the GDPR requirement for breach disclosure in 72 hours. The remainder of organizations admit that their IR plans need work however. Thirty-five percent say their IR plan needs some updates to meet GDPR, 8% claim that their IR plans need major revisions to meet GDPR, 7% will need to establish a new IR plan to meet GDPR, and 8% admit that they don’t have an IR plan and will have to create one from scratch to meet GDPR.
My takeaway from this data is that most organizations still have plenty to do with just over 3 months to go. Furthermore, I am alarmed by the lingering uncertainty around GDPR. For example, when survey respondents were asked to identify their organization’s biggest GDPR challenges, just under one-third (32%) said, understanding all the requirements associated with GDPR,’ while 31% said, ‘establishing the ability to audit GDPR controls for regulators.’ Given that we are just about through with February, you would think that firms would have these issues under control by now. I’ve encountered this uncertainty in conversations with CISOs as well. When I ask them if they are ready for GDPR, many respond, “I don’t really know.”
Judging by the data, I’d say that the handoff from legal and privacy teams to security and operations teams is a work in progress. In other words, corporate lawyers are still figuring out what their organizations need to do. As a result, they haven’t fully operationalized a GDPR plan – and the clock is ticking.
One of my cybersecurity predictions at the start of 2018 was that we would see a massive data breach and subsequent GDPR fine by the end of this summer. This data only reinforces my belief that this will happen.