In two previous blogs, I discussed the impact of the new EU General Data Protection Regulation and 8 things architects can do to help their organization comply with this far-reaching regulation. We also made available our ’How ready are you for the GDPR?’ test, which determines whether your organization is doing enough to prepare for the important regulation. If you haven’t done so already, you can still take the test right here. The results so far (based on almost 200 participants) have provided us with some interesting insights into the respondents’ awareness of the GDPR and readiness among organizations.
Only half of respondents are aware of the GDPR and planning to work on compliance
First of all, some 95% of respondents indicate that their organization does business with EU companies or residents. All of these organizations will have to comply with the GDPR, even if they are located outside the EU.
Despite this, only half of respondents are aware of the issue and are actively planning or working on compliance. This is a concerning statistic, given the stringent requirements of the GDPR, the financial and reputational consequences of non-compliance, and the time remaining until the GDPR is enforced (May 2018)!
Figure 1. Is your organization aware of the impact of the EU General Data Protection Regulation?
If we look at the job titles of respondents, we see some interesting differences. IT and Risk Managers are more aware of the GDPR and claim to have a coherent plan for action, but Architects appear to be less prepared. Does this mean that Architects aren’t informed about the initiatives of their IT and Risk Managers? If this is the case, there is a missed opportunity, since architecture has a lot to contribute to making an organization GDPR-ready.
Between Business Managers and Architects, many are aware, but don’t know what to do next. For those respondents, the steps I outlined in my previous blog provide an idea of the first actions they could take.
Figure 2. Is your organization aware of the impact of the EU General Data Protection Regulation?
Less than a third comply with the ‘informed consent’ criteria
Another question addresses so-called ‘informed consent’. In essence, you are not allowed to do anything with data you collect about EU residents without their knowledge and prior consent (opt-in, not opt-out!). Consent must be explicit; you are not allowed to bury this somewhere deep in your license agreement or terms of use. In our survey, less than a third of the respondents appear to comply with this in full.
Figure 3. Do EU residents browse your website or use your app?
Although the GDPR is an EU regulation, it applies to any organization that stores or processes personal data on EU residents, no matter where the organization itself is located. This includes many organizations in the US and elsewhere. The high number of organizations, both in the EU and outside of it, that don’t know what personal data they use is rather concerning.
Interestingly, it appears that North American respondents are slightly more mature in the protection of personal data than those from the EU, as shown below (although there are also more laggards).
Figure 4. At what stage of the architecture and design of your systems is privacy and security addressed?
However, North American awareness of the impact of the GDPR is, on average, a lot lower. Many companies outside the EU may assume that it doesn’t apply to them, but that would be a mistake. Any organization storing or using data on EU residents is affected. Even putting a tracking cookie on someone’s device may thus make you liable.
Figure 5. Is your organization aware of the impact of the EU General Data Protection Regulation?
22% of organizations have no idea what personal data they store
Perhaps the most shocking outcome is the percentage of organizations that have no idea what personal data they store: 22% of respondents.
This group also overlaps for a large part with the 25% who answered, when asked at what stages of the architecture and design of their systems they address privacy and security, that they manually test for security issues and bolt on some measures afterwards, instead of taking this into account as a key concern in the full design and realization process. If you are a customer of one of those organizations, you should be seriously worried. Moreover, if the responsible authorities investigate those organizations, say after a data breach, they can expect severe penalties.
The scatter plot below shows the maximum fines estimated by the respondents versus the actual maximum penalty based on their annual turnover. The actual maximum is 4% of annual turnover or €20 million, whichever is higher. However, as you can see, most organizations’ estimates are much too low.
Figure 6. What do you think the maximum fine for non-compliance with the GDPR could be for your organization?
If you have not started a program to ensure GDPR compliance yet, it is high time to do so. As I explained in my previous blog post, architects can play a pivotal role in this. Enterprise Studio helps you leverage existing models and data, analyze security and privacy concerns and define the right measures and controls. This gives you a flying start in improving your data security and ensuring regulatory compliance. The days of lackadaisical privacy protection are definitely over, so get started today!