As the GDPR deadline drew near last May, businesses across the globe scrambled to not only become compliant, but to understand the new marketing and communications world they were entering. But even now, a new survey from international law firm McDermott Will & Emery reveals that many companies continue to face challenges understanding and responding to EU data breaches, despite making investments in new personnel and changing business practices.
The research, carried out by the Ponemon Institute, surveyed businesses across the globe surveyed companies in the U.S. and EU, and for the first time in China and Japan, as they assessed progress and challenges after one year under the GDPR requirements.
Key findings:
- Nearly 50 percent of respondents experienced at least one personal data breach that was required to be reported under GDPR
- One-quarter of respondents on average in all countries say their readiness and confidence to respond to a GDPR data breach is very low
- Only 18 percent of organizations were highly confident in their ability to communicate a reportable data breach to the relevant regulator(s) within 72 hours of awareness
- Nearly half (49 percent) of Chinese respondents and more than a third (36 percent) of Japanese respondents subject to GDPR are still not familiar with this regulation.
“The number of data breaches occurring under GDPR should give pause,” said Mark Schreiber, partner and co-leader of McDermott’s Global Privacy and Cybersecurity Practice, in a news release. “Companies would benefit from conducting risk assessments and engaging forensic professionals who can identify vulnerabilities and recommend improved processes and remediation. If done under litigation or attorney privilege, organizations can further safeguard themselves.”
“The reporting requirement is one of the most difficult aspects for companies to get right. Over-reporting and under-reporting to regulators are both disadvantageous, and mandatory reporting to data subjects can increase the likelihood of class action litigation,” said Ashley Winton, a partner at McDermott and a Ponemon Institute fellow and Chairman of the UK Data Protection Forum, in the release.
Since May 25, 2018, how many personal data breaches did your organization have that were reportable under GDPR?
What were the consequences of these data breaches?
Although companies report making significant investments in compliance, there are still risks around their ability to prevent—and then also respond to—data breaches. Almost half of the respondents experienced at least one personal data breach that was required to be reported under the GDPR. Less than that (39 percent of U.S. companies and 45 percent of EU companies) reported a personal data breach to a regulator.
Approximately one third of companies obtained cyber risk insurance; 43 percent of those respondents said their insurance policy covers GDPR fines or penalties. Ten percent were unsure of what their organization’s cyber policy covered.
Looking beyond the U.S. and EU, Chinese and Japanese respondents lag in their GDPR efforts. Only 29 percent of the Chinese respondents and 32 percent of Japanese ones stated that they were fully compliant with the GDPR, more than 10 percent lower than Western companies. Although Japanese respondents rely heavily on external cybersecurity services to investigate data breaches, significantly fewer Chinese respondents did so and only 41 percent of these are conducted through litigation or under the protection of lawyer-client privilege.
“As revealed in our first study one year ago, The Race to GDPR, GDPR compliance is a challenge, particularly with information and the companies that possess it so frequently crisscrossing national borders and an uptick in varying local regulations – whether that’s China’s Cybersecurity Law or the new California Privacy Act,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in the release.
Which of the following GDPR security actions has your organization addressed?
“What we learned this year is that countries and regions are now very much at different points in their compliance awareness and execution journeys. With enforcement activity just beginning, it is more important than ever for companies to work hand in glove with external cybersecurity services and legal counsel and understand that these issues will continue well into the foreseeable future,” he added.
Additional findings include:
- A surprisingly high percentage of respondents (85 percent) reported appointing a GDPR Data Protection Officer and 54 percent of non-EU respondents appointed an EU Representative. Most of these appointments were internal rather than an external individual or company. At play are complex GDPR provisions that mandate this position in some, but not all, situations.
- More than half of the US company respondents apply GDPR data subject rights to both U.S. and EU employees. Fifty-one percent of US companies surveyed say they give their U.S. and EU employees the same rights under GDPR. Only 43 percent of EU companies apply GDPR data rights to both U.S. and EU employees.
