Organizations View GDPR as an Opportunity to Improve, IBM Reports

An IBM study finds that while most organizations see the EU's GDPR as an opportunity to improve, less than half are currently compliant.


Organizations are looking at the European Union's General Data Protection Regulation in a positive light, according to an IBM study released on May 16.

The study, titled "The end of the beginning: Unleashing the transformational power of GDPR," surveyed over 1,500 business leaders from around the world. Fifty-nine percent of the respondents see GDPR as more than just compliance issue, but rather as an opportunity to improve security and data privacy in general.

The report also found other positive attributes associated with GDPR compliance that can be benefit organizations.

"We were also pleased to see that companies were connecting the dots between consumer sentiment around data privacy and GDPR, with 84 percent acknowledging that GDPR compliance can be viewed as a positive differentiator to the public," Cindy Compert, CTO of Data Security & Privacy at IBM Security, told eWEEK.

GDPR goes into effect on May 25 and includes multiple sets of requirements to protect user privacy and data security. Among the core requirements of GDPR are strict guidelines on breach disclosure, requiring organizations to report within 72 hours that they have been the victim of a data breach.

While the IBM study found that most organizations view GDPR in a positive light, not all organizations will be compliant on May 25. Only 36 percent of organizations in the IBM study reported that they expect to be GDPR compliant by the deadline. Compert blames human behavior on why most companies will not be fully compliant by May 25. 

"Who has ever crammed for that big final exam the night before? You think you have lots of time to study and get ready, and invariably some other priority gets in the way," she said. "Now we are at the night before G-Day, and the organizations that have been in denial realize they had better study or they may fail the course."

Another reason why GDPR compliance numbers are so low could be because some organizations are waiting to see what enforcement actions arise before they step up. That said, since the regulators have been clear that there will be no grace period, it will be a very interesting few months to see what happens, she said. 

GDPR Challenges

There are multiple challenges that organizations face on their journey to become GDPR compliant. Compert said there is still a lot of uncertainty about GDPR in terms of what it means, how it will be applied, and whether or not it might change. 

For example, she noted that 44 percent of organizations in IBM's survey said they worry GDPR could be modified or replaced. In addition, there are challenges in the interpretation of GDPR. 

"If you have a legal background and read through the 261 pages of text, it lays out principles for the 99 articles and associated obligations," Compert said. "Because many of them are general, such as 'appropriate level of security', and open to interpretation within a given context, that tends to cause some confusion."

Among the areas where Compert has seen a gap in GDPR compliance efforts is incident response preparedness. 

"The majority of companies in the survey were lagging behind when it came to preparing for incident response through running simulations, and these companies also had a much lower level of executive involvement in incident response efforts," she said. "From what we’ve observed in running our Cyber Range exercises with clients, there is a lot to learn about coordination and orchestration from the executive suite on down."

No Magic GDPR Checklist

While the GDPR deadline is still looming, other standards are already in play. For example, many organizations in the United States and around the world are already required to be compliant with the Payment Card Industry Data Security Standard (PCI-DSS), which also deals with data security issues.

There are several differences between PCI-DSS and GDPR, according to Compert. Among the differences is the fact that PCI-DSS is very specific and very prescriptive—just like a math equation, there is a specific and correct answer. She noted that PCI has the "dirty dozen" specific controls, while GDPR states that protection should be designed according to the risk to the individual. 

"Often we have clients asking us to provide a magic checklist to reach GDPR compliance, but the truth is that so much of GDPR is contextual—there isn’t simply a list of boxes to check," she said. "IBM has come up with a GDPR Framework to help clients understand their obligations and what a journey is like, along with a set of best practices and tools to help, but much of what needs to be addressed is contextual."

May 25 Deadline

When the May 25 deadline for GDPR compliance arrives, it's not likely that end users and organizations in the EU and around the world will actually be safer than they were in the days before.

"It's one thing to post a new privacy notice on your website, but it’s another thing to implement identity and access management, incident response or even encryption," Compert said. "These things take time to plan and implement, but eventually, everyone benefits. Like everyone else, I’m waiting to see what transpires in the coming months."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.