Most Companies Mistakenly Believe They Are Compliant With EU’s New Data Protection Regulation

The European Union’s General Data Protection Regulation (GDPR) will go into effect on May 28, 2018, which doesn’t leave companies operating in the EU much time to prepare for compliance. However, according to a recent study by Veritas Technologies, a multi-cloud data management company, most companies have not only failed to achieve compliance so far, but they mistakenly believe they are already compliant.


The GDPR aims to unify previously uneven data protection laws that existed in each EU nation. Once the GDPR goes into effect, companies operating in multiple EU countries will have to respect the same data protection regulations, which also makes it easier and simpler for them to comply. On the downside, the GDPR seems to take users’ privacy rights quite seriously, which may put larger compliance burdens on some companies.

In the long term, the GDPR could be a blessing in disguise for many organizations, as the regulation also mandates that companies have much stronger cybersecurity in the form of “data protection by design.” As the number of major data breaches seem to have increased in the past couple of years, adhering to GDPR’s strict requirements may end-up saving companies from much larger potential losses in the future.

Veritas' Report

According to Veritas’s GDPR report, almost one third (31%) of the survey’s respondents thought they already conformed to the legislation’s key requirements. However, when Veritas asked them about specific GDPR provisions, their answers revealed that the companies were unlikely to be in compliance.

In fact, the number of companies that are in compliance seems strikingly low -- only 2% of the companies fully comply with the GDPR so far. Veritas added that this reveals the companies’ misunderstanding over regulation readiness.

Almost half (48%) of the companies that claimed they were compliant do not have full visibility over personal data loss incidents. A majority of them (61%) also admitted that it would be difficult for them to comply with GDPR’s mandatory requirement of reporting a personal data breach within 72 hours of awareness.

Half of the organizations that claimed compliance also kept allowing former employees access to their systems, even though this is often the cause of data breaches.

Many companies also failed to comply with the “right to be forgotten” principle that is enshrined in the GDPR, as systems to find, search and erase user data were still missing. Worse yet, almost a fifth of the companies claiming compliance admitted that they couldn'tactually purge the users’ data, nor can they see where the data is stored on their servers. Meanwhile, the GDPR already requires that data is only used for the reasons it was collected, and deleted when it’s no longer needed.

All the above issues would make companies non-compliant with EU’s GDPR, which could attract a 20 million euro fine or up to 4% of the companies’ global annual revenue (whichever is greater).

GDPR Misconceptions

According to Veritas, one common misconception companies have about GDPR is that compliance is the responsibility of the cloud service provider. In fact, it’s the data controllers’ responsibility. In this case, that’s the companies collecting the users’ data. The same companies need to ensure that the cloud service providers they use are fully compliant with the GDPR, not the other way around.

“The GDPR dictates that multi-national corporations take data management seriously. However, the latest findings show confusion over what’s needed to comply with the regulation’s mandatory provisions. With the implementation date looming ever closer, these misconceptions need to be eradicated fast,” said Mike Palmer, executive vice president and chief product officer, Veritas.“With regulations like the GDPR you have to understand what data you have in your organization. But you must also know how to take action on it and how to classify it so that policy can be applied accordingly. These are the fundamentals of compliance and the findings today should be used to educate businesses about the mistaken beliefs that could put an organization out of business," he added.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • hannibal
    Better security is badly needed so Hopefully the companies can fullfill the new regulations Sooner than later.