I mentioned earlier the role that GDPR will play in any GRC framework, whether that framework is just getting underway or has been established for some time.
The problem is, as we inch closer to the deadline, organizations are doing a very poor job at preparing their staff about GDPR and what they need to do to make sure the company remains in compliance.
Unfortunately, IT departments aren’t doing a very good job about educating themselves. A recent report from Commvault found that only 21 percent of IT professionals think they have a good understanding of what GDPR means in practice – and it goes downhill from there. Only 18 percent admit to understanding their company’s data and where it’s stored, only 12 percent understand how GDPR will affect cloud services, and a shocking 11 percent said they understand what actually makes up personal data.
With numbers like that, it isn’t GDPR we should be worried about but instead we should demand to know how those organizations are handling any type of security or meeting compliance regulations. It’s no wonder that Commvault found 87 percent of CIOs believe their current policies will leave them vulnerable to risk under GDPR’s high standards and more than half expect to be fined.
If IT professionals are this unaware about GDPR or even the basics of protecting corporate or personal data, it isn’t surprising that the average employee or consumer is even less familiar. MediaPro’s 2018 Eye on Privacy Report revealed that while 54 percent of U.S. companies say GDPR has to be a top priority this year, 59 percent of their employees have never even heard of GDPR. The study also found those within the finance industry did not consider tax information any more sensitive than respondents from the six other industries, including education and health care, and the technology sector demonstrated the least ability to correctly identify scenarios that could put private data at risk, such as reportable privacy incidents. In a formal statement, Tom Pendergast, MediaPro’s chief strategist for security, privacy, and compliance, pointed out what has become obviously clear:
With GDPR just months away, now is an ideal time for organizations who haven’t taken data privacy seriously to begin to do so. Data privacy is everyone’s responsibility, and organizations can prepare their employees to protect against threats through year-round privacy awareness training programs that address privacy concerns at the root of employee culture.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba
