The countdown is on for the GDPR - are you ready for it? Wait - do you even know what the GDPR is?

If you don’t, you’re not the only one. Around 80% of organisations globally remain in the dark about it, less than one in three companies feel they are prepared for it and 97% of companies don’t have a plan to be ready for it.

Which is all a little unfortunate as its implementation is only just over 12 months away.

First things first then. What is it? GDPR is a new European Union General Data Protection Regulation which comes into force on May 25, 2018.

The new legislation supersedes 1998’s Data Protection Act, itself enacted following the 1995 EU Data Protection Directive, and strengthens the protection of personal data for all EU citizens. Making data protection rules more or less identical throughout the EU, GDPR will affect companies of all sizes, in all regions and industries and bring tougher fines for non-compliance and breaches.

Wait a minute - are we not supposed to be leaving the EU? Irrelevant, says the government which has already confirmed that Brexit will not affect GDPR’s implementation. Crucially, not only will it apply to processing carried out by organisations operating within the EU, it will also affect those outside offering goods or services to individuals within it.

Which makes the widespread lack of awareness rather unnerving.

The current state of affairs was revealed by global technology solutions, services and support provider Dell, which recently asked IT and business professionals from around the world who were responsible for data privacy at companies with European customers, about awareness, perception and readiness for GDPR.

The result was that:

• More than 80% knew little or nothing about GDPR.
• Almost 70% said they were not or didn’t know if their company was prepared for GDPR, while only 3% had a plan for readiness
• Organisations realised failure to comply would impact both data security and business outcomes, but were unclear on the extent of change required, the severity of penalties for non-compliance and how changes would affect them.

Additional findings showed that most did not feel well-prepared across security disciplines for GDPR compliance, which is a cause for further concern as, due to the new regulation’s scale, complexity, cost and business criticality, it is estimated most companies will take at least two years to achieve full compliance.

John Milburn, vice-president and general manager of Dell One Identity Solutions says GDPR is the first update to European data protection laws since 1995, a time when the Internet was in its infancy and the constantly evolving cyber threats of today did not even exist.

“This survey reinforces the global lack of general understanding of GDPR, the scope of the regulation, and what organisations need to do to avoid stringent penalties,” he adds, before warning: “Results also show that while some ‘think’ they are prepared, they will be in for a rude awakening if they experience a breach or must face an audit and are subject to the consequences of non-compliance with GDPR.”

To be compliant, Dell urges companies to adopt an adaptive, user-centric, layered security model approach around the tenets of prevent, detect, respond and predict.

Suggested best practices include:

• Hire a data protection officer (DPO). A requirement for GDPR, the position can be full-time, or filled by an employee with other responsibilities or an outsourced agency.
• Deploy a firm access governance solution. The ability to govern access to applications that permit access to EU citizens’ personal data - particularly unstructured data - is a major factor in data security and GDPR compliance.
• Control of access management. Employees and contractors must have the correct access permission to do their jobs and nothing more.
• Perimeter protection. Use next-generation firewalls to reduce a network’s exposure to cyber threats, mitigate the risk of data leaks that could lead to a data breach and deliver the forensic insight required to prove compliance and execute appropriate remediation following a breach.
• Ensure email security. Achieve full control and visibility over email activity to mitigate the threat of phishing and other email-based attacks on protected information, while enabling the secure and compliant exchange of sensitive and confidential data.

For more about GDPR, visit the Information Commissioner’s Office website at www.ico.org.uk