Organisations Failing Fundamental Preparation for GDPR as May Deadline Looms

Posted 02/13/2018 by Nigel Tozer

A huge majority of organisations around the world are failing to make even fundamental General Data Protection Regulation (GDPR) preparations, with only 11 percent even understanding what constitutes personal data within their organisation, according to the findings of a globally-sourced survey by Commvault. Considering that being able to clearly identify what personal data is stored, accessed and used within every organisation is an essential pre-requisite before even attempting to become GDPR compliant, it's unsurprising that only 12 percent feel they are ready for the implementation of the legislation in five months of time.

The survey revealed that in regard to the specific management of individual’s personal information, only 18 percent of organisations had the capability to delete data on request from all data stores – a process that could be immediately required of any organisation operating with European Union markets after May 25. Only 9 percent believed they could effectively anonymise their data when required, and fewer still believed they would be able to collate and move data to another organisation at an individual’s request (8 percent).

In regard to other personal data management critical to GDPR requirements, such as "The Right To Be Forgotten," only 16 percent of organisations polled said they were confident that they could immediately find data related to specific individuals;

36 percent indicated that it would take hours to collect this data; 25 percent said it would take days; 18 percent acknowledged it would take weeks; and 5 percent actually admitted that there was no way they could find this data, rendering not just GDPR compliance, but also "The Right To Be Forgotten" entirely ineffective. Given these challenges, 89 percent of organisations and IT personnel admit to still being confused by key elements of the regulation.

It reveals considerable gaps between current knowledge and the required fundamental implementations required to establish a data management strategy to enable GDPR compliance.

Key findings include:

  • 21 percent feel they have a good understanding of what GDPR means in practice
  • 18 percent said they understood what data their company has and where it lives
  • 17 percent understood the potential impact of GDPR on the overall business
  • 12 percent understood how GDPR would affect cloud services

Becoming GDPR compliant is not simply a matter of establishing these fundamental data management processes within an organizations, but it is an essential first step before embarking on wider internal GDPR compliance practices. Given these findings, it is highly likely that we will see a number of high profile organisations hitting the headlines for contravening GDPR soon after it comes into effect next May - mainly due to a lack of understanding of the data they hold and its relationship to GDPR.

Unfortunately, there is still a big disconnect between business and IT leadership on GDPR, with the business thinking there is a switch to flip, and IT still believing it’s a business process problem. The truth is that realigning IT processes

around personal data can actually help with digital transformation or modernisation programs. This sort of alignment can deliver many efficiencies and business benefits, but if not dealt with now, organisations will not be ready for May 25.

The survey of 177 global IT personnel was conducted in October 2017 by Commvault. For more information about how your organisation should be formulating a cohesive strategy in advance of May 25, visit the Commvault Newsletter featuring Gartner Insights on how to prepare for GDPR.
Nigel Tozer is the Product Marketing Director for EMEA. He has more than two decades of experience in the IT industry with a majority of it in enterprise software and in recent years, cloud technologies.