Senior executives at companies with more than 500 employees in 11 countries appear to be somewhat casual in their approach to complying with requirements for the EU's General Data Protection Regulation that takes effect on 25 May next year.
Security firm Trend Micro came up with this finding after conducting 1132 online interviews with IT decision-makers in the US, the UK, France, Italy, Spain, the Netherlands, Germany, Poland, Sweden, Austria and Switzerland.
A similar survey was conducted at Trend Micro's August CLOUDSEC conference, covering 292 Australian C-suite executives who were asked about the Australia data breach laws that take effect on 22 February 2018.
The company said it had seen the following broad trends:
- senior executives shun GDPR responsibility in 57% of businesses;
- about 42% of businesses don’t know email marketing databases contain personally identifiable information; and
- about 22% of businesses claim a fine "wouldn’t bother them" if they were found in violation of the GDPR requirements.
{loadposition sam08}While more than half (56%) of the Australians surveyed agreed they would be affected by the mandatory data breach laws, and either had a process to become compliant in place, or were working on one, 16% did not believe they would be affected by the scheme.
Additionally, 28% admitted they only had an informal process in place, or no process at all for risk management and cloud security within their organisation.
Indi Siriniwasa, managing director – Enterprise and Government, Trend Micro ANZ, said it was concerning that so many Australian organisations were unprepared or believed they would not affected.
“It has never been more important for organisations to make cyber security a key priority, and protect the interests of their customers against cyber attacks. Not only is this a security and prevention issue, but it can also have a disastrous impact on both brand and reputation,” he said.
The GDPR includes provision for fines for failing to protect personal information of up to €20 million or 4% of turnover, whichever is greater. Australia's laws will levy fines on organisations that have a turnover of more than A$3 million.
In the countries other than Australia, Trend Micro found that those surveyed had strong awareness of the principles behind GDPR, with 95% knowing they needed to comply, and 85% having reviewed the requirements. Also, 79% of businesses were confident their data was as secure as it could be.
But when it came to defining personally identifiable information, things were not so clear-cut. Sixty-four percent were unaware that a customer’s date of birth was PII.
Additionally, 42% said they would not classify email marketing databases as PII, 32% did not consider physical addresses to fall into this category and 21% did not think a customer’s email address was in this class.
Trend Micro pointed out that this data was sufficient for identity theft, and any business not properly protecting this information could be penalised.
Another area of concern identified in the survey was the fact that businesses were unsure as to who would be held accountable for the loss of EU data by a US service provider. Only 14% were aware that both parties were equally responsible with 51% believing the EU data owner would be fined, while 24% were sure the the US service provider was at fault.