As more data breaches occur everyday and more data privacy regulations come into force, such as EU General Data Protection Regulation, organisations are beginning to make data governance and data protection more of a priority.
But as the Data Protection: Prioritising Regulations & Guidelines research study released by Blancco Technology Group reveals, delayed threat detection and breach notifications could intensify the regulatory challenges of data protection. In particular, 16 percent of businesses take between one and six months to detect a security threat and 5 percent only detect a threat when notified by external parties.
While threat detection plays a vital role in helping organisations prevent data loss/theft, it's equally important for organisations to notify regulatory authorities and customers of a data breach in a timely and efficient manner. Despite the EU GDPR's requirement to notify regulatory authorities of a data breach within 72 hours, 13 percent of the surveyed IT professionals admitted it takes between one month and one year to do so. In such instances, these organisations would be in violation of the EU GDPR's breach notification requirement and could face regulatory fines of up to €20 million, or 4 percent of their global turnover, whichever is greater.
Key findings from the study include:
- Information is beautiful, but data breaches are not. 28 percent of organisations have been hit by a data breach in the last 12 months.
- Although C-suite interest in data governance is increasing, visibility proves challenging. While it's good news that 76 percent of C-suite and board-level executives review and assess regulatory compliance with state, federal and international data protection laws, 12 percent do so infrequently (between one and three years).
- ISO and NIST data protection guidelines are rising in importance. 88 percent of the surveyed IT professionals consider ISO and NIST guidelines to be either 'very important' or 'important.'
- Regulatory fines have become too normalized. 29 percent of businesses have been cited by a regulatory/governing body for failure to comply with security regulations in the last 24 months.
- Regulatory fines are considered more damaging than customer lawsuits, negative publicity and reduced sales. 28 percent of organisations said regulatory fines are the most damaging consequence of being cited for a regulatory violation, followed by customer lawsuits (22 percent), negative publicity (20 percent) and reduced sales (8 percent).
"The findings of our study reiterate just how important it is for organizations to manage data properly and have a sound data governance program in place," said Richard Stiennon, Chief Strategy Officer of Blancco Technology Group. "This will require organisations to be fully aware of and regularly assess every type of user data that is stored, how long that data is kept, as well as when and where data needs to be removed when users end their service or when legal requirements demand it. As so many data breaches have shown, taking too long to detect a security threat and notify both regulatory authorities and customers could not only lead to regulatory fines, but could also put organizations at the center of customer lawsuits, diminished sales and negative publicity."
The purpose of the study is to understand the level of importance organisations place on data protection regulations and industry guidelines. The survey was fielded in October 2016 to 460 IT professionals in the United States, Canada, Mexico, United Kingdom, France, Germany, India, Japan and China.