This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.
On May 25, 2018, all businesses that handle the Personal Data of EU-based citizens are required to be GDPR compliant. Otherwise they they risk a fine of up to $20 million or 4% of their annual revenue, whichever is higher.
Since the EU's population is over half a billion, the majority of businesses deal with EU citizens, either as their customers, employees or business partners. Considering the importance of the General Data Protections Regulations for businesses, we surveyed 302 Chief Executives of US businesses to gain insight into how non-EU businesses are addressing GDPR – what they are doing to adhere to these regulations, how much effort is needed and how much it is costing them.
Table of Content
- Who Answered the GDPR Survey?
- Are Businesses Ready for GDPR?
- Are Employees Aware of GDPR?
- Are Businesses Receptive to GDPR?
- Are Business Well Equipped to Achieve GDPR Compliance?
- What Changes Are Businesses Making in Order to Become GDPR Compliant?
- How Much Are Businesses Spending on GDPR Compliance?
- What Impact Will GDPR Have?
- Is GDPR a Step in the Right Secure Direction?
Who Answered the GDPR Survey?
The respondents all hold C-Level positions. The majority are CEOs, followed by CSOs, CISOs and CIOs.
Are Businesses Ready for GDPR?
Only 1% of those surveyed have not yet done anything to become compliant. The majority of businesses are already working on becoming GDPR compliant, and the majority of them (48.7%) have completed more than 75% of the required work.
What's even better is that 71.2% of respondents believe they will be GDPR compliant before the deadline kicks in (May 25, 2018), while 26.5% think they are on the right track and should be ready by the deadline. Only 2.3% are unlikely to be ready on time.
Are Employees Aware of GDPR?
GDPR received a lot of media coverage – much more than PCI DSS, HIPAA, ISOs and other regulatory or compliance measures and bodies. Both the news outlets and vendors are giving it lots of attention. Could it be that the general population is becoming more concerned about privacy, and so businesses are attempting to address this additional customer demand. Or, is such coverage the natural consequence of the alarmingly hefty fines that follow if businesses fail to comply? It's not surprising then, to discover that an impressive 90% of the employees who work with the respondents are also aware of GDPR.
Are Businesses Receptive to GDPR?
Compliance with government legislation is not something that businesses like. Typically, it brings with it additional expense, more complex procedures and slower production. So, it’s remarkable to see that 88.1% of our respondents said that all their business peers are receptive to GDPR, and that the majority of the employees are complying.
Keeping this receptive approach in mind, there are notable differences between industry verticals in how this is implemented. For example, respondents from the Science, Technology, Programming, Accounting, Finance and Banking sectors are 35% more likely to receive overall cooperation within the organization to achieving GDPR compliance than those in the Healthcare industry.
Are Business Well Equipped to Achieve GDPR Compliance?
Among our results, 62.9% of respondents said that their team knows enough about GDPR and are doing everything in house, while 27.8% hired third party service firms to assist them with achieving compliance. Less than 10% said they have not found enough information – a figure I find hard to swallow, given that it seems that almost every business and news outlet in the security industry has written about GDPR. We have published the Road to GDPR Compliance Whitepaper, an easy to follow, high level guide on how businesses can become GDPR compliant.
What Changes Are Businesses Making in Order to Become GDPR Compliant?
Compliance means more work, stricter controls and more complex procedures. So working towards compliance means at least changes to some systems, but for many businesses could also mean recruiting new people. Let’s see what changes businesses are going through in order to achieve compliance.
Only 0.3% said that they do not need to make any changes, which we presume means that they were already GDPR compliant even before GDPR was announced.
How Many People Do Businesses Have to Recruit Because of GDPR?
This is where the numbers get interesting. It turns out that there is a lot of headhunting going on! A total of 55% of those businesses who have a dedicated team for compliance have recruited more than six additional employees to assist them to achieve GDPR compliance.
Currently, 82% of companies surveyed currently have a DPO on their staff, while 77% plan to hire a new, replacement DPO, prior to the GDPR target date of May 25, 2018. What’s certain is that even though we are in the digital era, where lots of work is automated, the number of people a business needs to become GDPR compliant correlates with the number of employee the business. The more employees a business has, the bigger the compliance team.
How Much Are Businesses Spending on GDPR Compliance?
As above with the number of employees, the bigger the business is, the more it spends on GDPR. The majority, 59.6%, will spend somewhere between $50,000 and $1 million, while 10.3% will spend more than $1 million to become GDPR compliant.
What Impact Will GDPR Have?
News of data leaks, stolen credit cards, fraud and identity theft has become so frequent that the general population is very aware of the need for more secure services that guard their data and personal privacy. So what impact will GDPR have on businesses and industries that serve these savvy and demanding consumers once it comes into force?
GDPR Means More Secure Web Applications
Web applications are the centre of many modern business, government and consumer services. Online services are web applications, the cloud is a collection of web applications and businesses collect and share the majority of their data via web applications and web APIs. It is easy to conclude that GDPR should have a positive impact on the security of applications, or so the majority of respondents think. Only 2% disagree.
Does GDPR Mean Better Handling of Personal Data and Response to Data Breaches?
The last few years has witnessed many data breaches. What is even worse is watching how businesses handle data breaches: some have tried to hide them, some have announced them years later, some were unaware that their networks were hacked and data had been leaked.
So will businesses now adopt a more ethical approach? Of those asked, 54.3% believe that businesses will be even more hesitant to report data breaches because of the punitive fines. On the other hand, 53.6% believe that businesses will no longer hide data breaches. Many others are of the opinion that it won’t change anything. We shall see…
Consumers Reactions to Data Breaches
Let’s assume that businesses will disclose all data breaches. Will this increased exposure – mainly because of GDPR – have an impact on consumers? The majority think that it will drive consumers to be more assertive in asking businesses what they are doing with their data and how they are handling it.
We are already noticing this in Europe, especially in countries such Germany and the Netherlands that are very strict on consumer privacy. Will other nations follow? This consumer behaviour has a huge impact, and should be encouraged if we want to see a drastic improvement in security and privacy.
Is GDPR a Step in the Right Secure Direction?
The GDPR survey results above are very positive. Businesses are on the right track and are very receptive. Maybe it is still too early to say that data leaks and identity theft are a thing of the past, but we are certainly heading in the right direction.
Is Your Business GDPR Ready?
Do you handle any EU citizen data? If the answer is 'yes', your business needs to be GDPR compliant. We have written an easy to follow guide called The Road to GDPR Compliance, which will help you get started and ensure your business is GDPR compliant before the deadline. You can also get in touch with us to learn how Netsparker can help you with GDPR compliance.