The management of many Dutch companies does not go very seriously with the General Data Protection Regulation (GDPR) legislation. Managers are unfairly unsafe when it comes to compliance with this legislation.
This is the main conclusion from Trend Micro’s latest survey, which has surveyed more than 1,000 IT decision-makers worldwide in companies with 500+ employees. The research shows that there is some knowledge about the reason for GDPR. For example, 93 per cent of the surveyed professionals in the Netherlands know that they have to comply with the regulations and 72 per cent have themselves taken note of some exact rules. With 61 percent of Dutch companies, it is convinced that the data can not be safely stored.
What are actually personal data?
Even so, in the Netherlands, there is quite some uncertainty about which “personal data” they need to protect exactly well. That already begins with the inventory. 23 percent of Dutch respondents can not initially indicate which personal data they have stored and where they are stored. Of all respondents surveyed in our country, 22 percent do not know that a date of birth should be classified as ‘personal data’.
Worse still, more than half (53 percent) of Dutch IT decision makers should not label information in their e-mail marketing databases as personal data. When it comes to mailing addresses, those percentages rise to 71 percent and even to email addresses even to an alarming 78 percent. Organizations that provide such data – which hackers often give rise to identity theft – do not properly protect, risking high fines.
When it comes to fines, many Dutch organizations can still be surprised. More than 60 percent do not know that this amounts to between 2 and 4 percent of their annual turnover. Despite (or thanks?) This lack of knowledge about the legislation and possible penalties, certainly 24 percent of Dutch organizations are not concerned about a possible approval. The chance is that they think about it differently when a data call has taken place and they are actually being tested. Especially when customers, prospects and authorities ask questions about their systems, business operations and management responsible for it.
“The lack of knowledge about GDPR, which is clearly evident in this research, is shocking. Birthdates, e-mail addresses, marketing databases and mailing addresses are all important customer data and it is worrisome that so many Dutch organizations, who do not know about it, know, “says Rik Ferguson, VP Security Research at Trend Micro. “If organizations do not protect this data, they not only take their customers seriously, they are certainly not ready for GDPR.”
Loss EU data by US party
However, the confusion goes further. Trend Micro also asked Dutch companies who are responsible for the loss of large amounts of EU data by a major US service provider. Only 10 percent could give the correct answer to both parties as much responsibility.
That is slightly worse than the global average of a slight 14 percent. 47 percent of Dutch organizations think that the fine should be paid by the owner of EU data, while 26 percent think the US service provider is wrong.
Who is responsible?
It is also clear that Dutch companies are not keen who is responsible for compliance with these regulations within their own organization. Of the respondents from the Netherlands, 26 percent believe that the CEO is responsible for GDPR compliance and only 28 percent think that is the task of the CISO and / or the security team. However, the C level in the Netherlands does not seem to be really hot for GDPR. Only 10 percent of Dutch managers are actively involved in this topic.
“With only nine months to go before GDPR enters into force, this should be one of the main points on the agenda of directors. However, the results of this research show that one seems to ignore the subject. When companies do not take these regulations seriously, they can actually get a fine that includes a significant portion of their sales. It’s a matter of seeing the C-suite GDPR as a business challenge rather than a security issue before it’s too late, “continues Ferguson. “Preparing for GDPR is a huge job. From investing in state of the art technology to implementing rules on data protection and notifications. This preparation is, however, useless if companies do not know what data is exactly and who is responsible for it.
New threats continue to bother businesses in a variety of ways. Many companies not only have a lack of expertise to handle them, but they do not usually have the right technology to do that. GDPR obliges companies to implement the necessary modern technology to be able to deal with risks. However, only 20 percent of Dutch companies have advanced technology to track down intruders on their network. 26 percent have installed encryption technology and invested 16 percent of Dutch companies in data leakage prevention technology.