As we near the date when the General Data Protection Regulation (GDPR) comes into force, the magnitude of the compliance task facing firms is becoming ever clearer.
The GDPR comes into force on 25 May 2018, and new research by information security experts Citrix has examined the major risks that could impact British firms as they grapple with GDPR compliance. Citrix’s research sought the views of 500 IT decision-makers in firms with 250 or more employees throughout the UK.
The research found three major risks: data sprawl, information overload and uncertainty over data ownership.
Data sprawl refers to the problem of data being stored and managed with separate systems. The research found that the average UK firm uses no fewer than 24 systems to store and manage personal data. But a significant minority of firms – 21% – use over 40 systems.
On top of that, 47% of respondents share personal data from their customers with other businesses. The average number of partners involved is 48, but nearly half of the firms surveyed revealed that they shared data with more than 50 other businesses. And 15% admitted that they lost at least some degree of control over that data once it was shared – although most believed that they had full control over data at all times.
Information overload is, as the name suggests, simply having too much data to deal with. Large firms responding to the Citrix survey collect personal data from 577 individuals each and every day, with 26% collecting it from over 1000. Dealing with the sheer volume of data being generated is a major task.
More than half of the survey respondents admitted that they held personal data for more than a year, with 25% storing it for over five years. However, the rationale for this data storage is often questionable: 40% of respondents admitted that they didn’t use all the personal data they stored, while 8% revealed that they never used any of it at all.
Finally, data ownership is an area of real uncertainty for firms. When it comes to personal data based on predictive analytics, 27% of respondents believe the data is owned by the customer themselves, while 50% think it belongs to the organisation.
If you don’t know who owns data, it’s practically impossible to set up policies to control access and comply with the terms of the GDPR. That was reflected in the survey, with 38% of firms acknowledging that they were not ready for the new regulation, or that they didn’t even know whether or not they were compliant.
Is your business is facing similar issues to these? With the deadline for compliance approaching quickly, it’s time to get a firm grasp on what data you collect, who owns it, who’s involved in processing it, how long you store it and whether you have a genuine reason to do so.