Less than a third of companies think that they are ready for GDPR ahead of the deadline on 25th May.
New research from Apricorn shows that many businesses are not confident that they’ll meet compliance standards – 81 per cent could think of an area where they might fail.
Half of organisations who know that the GDPR will apply to them admit that a lack of understanding of the data they collect and process is their biggest concerns relating to non-compliance.
What’s more, 37 per cent believe they are most likely to fail because of gaps in employee training, and almost a quarter say their employees don’t understand the new responsibilities that come with GDPR.
Jon Fielding, managing director of EMEA Apricorn, says that by now employees should know the importance of GDPR and the role they play in keeping data safe.
However, he points out that while some employees have received training, in some cases it hasn’t been effective and organisations should ‘address these gaps urgently’.
Companies see the positives
Some see the GDPR as a tick box exercise, many others see it as a benefit to their organisation. For example, 44 per cent agree that the new regulation is a welcome opportunity to overhaul their organisation’s data security processes.
The most commonly taken step so far – at least for those who say they are somewhat prepared for the GDPR – is to review and update their security policies for mobile working (67 per cent). Even then, three in ten still worry that they could fail to comply due to mobile working, and 22 per cent of respondents are concerned they may fail due to a lack of encryption.
Almost all (98 per cent) of respondents recognise that they will need to continue investment in policy, people and technology even after Friday’s deadline has passed.
Investing in the necessary tools to make security processes easier and more efficient is a top priority, considering that Article 32 of the GDPR requires the pseudonymisation and encryption of personal data.
Fielding advises that the best thing businesses can do is to make sure everything they have is as locked down as possible and all PII is encrypted,
‘Organisations should research, identify and mandate corporate-standard encrypted devices and educate employees on their use to avoid the risk of a breach and being fined for non-compliance’.